index="logmon_logs" |top useother=f limit=10 CHKOUTErrorMSG by _time|timechart count by CHKOUTErrorMSG |inputlookup append=t chkouterrorNew.csv | sort -_time | outputlookup chkouterrorNew.csv Above is the query I'm using to display a chart. My goal is in last 24 hrs time line what's the top 10 CHKOUTErrorMSG(this is field extractor). Now, what is happening instead of showing only top 10 error message, the error message is getting appended and the error count is getting increased over the time. Can you please help me? ... View more