I have the following SPL: some search | table _time, col1, col2 | timechart span=2m useother=f values(col2) as col2 by col1 | fillnull value=0 This creates a separate column for each value in col1. I now want to convert this data back into the original format i.e. a table in the format |_time|col1|col2|. I'm basically using the time chart command to fill in null values for every timestamp that had no value associated with it in the original data. Is there any way I can do this ? I guess a better way would be to not use a time chart, but I'm not sure how. Not using a time chart give me the advantage of working with all the values of col1 (rather than only 10 as in the case of time chart) ... View more