You can't do multiple fields after a by clause for a timechart .
Also, your stats loses all time related values, so you can't ... | timechart since there is no longer time data.
If you are looking to aggregate over a timeframe, say, per hour, then you could try something like
index=network sourcetype=snort msg="Trojan*" | stats count by date_hour, host, src_ip, dest_ip, msg
This gives you a chart with the hours along the bottom.
If you need a true timechart effect, then try something more like this:
index=network sourcetype=snort msg="Trojan*" | stats count by _time, host, src_ip, dest_ip, msg
Your output will be different than when not counting by unique timestamp of the index event.
... View more