I have a fairly straightforward query using timechart to count the top 10 users triggering an event. ( Sanitized ) index=foobar EventCode=1234 | timechart span=1d count(EventCode) BY user WHERE max in top10 usenull=f useother=f This returns a chart that makes good sense. Now in order to separate noise from things II'm concerned about, I want to only see users who have triggered the event 10 times or more per day. A quick look at the manual provided this : Chart the eventypes by source_ip For each minute, count the eventypes by source_ip, where the count is greater than 10. sshd failed OR failure | timechart span=1m count(eventtype) BY source_ip usenull=f WHERE count>10 (docs.splunk.com/Documentation/Splunk/7.3.0/SearchReference/Timechart) So I adapted this to my existing query : index=foobar EventCode=1234 | timechart span =1d count(EventCode) by user usenull=f WHERE count>10 This however did NOT generate what I expected. I expected to see the same chart as before, only with the users with less than 10 events triggered per day being left out. Instead I have a bizarre chart that I received a truncation warning for and that included users that had fewer than 10 per day. I've been told I need to put spaces in the WHERE clause ( WHERE count >10 , or WHERE count > 10 ) but this made no change. I've been told that the chart is accurate and that it reflects users who have hit more than 10 at any time ( not per day ) but that did not make sense to me, nor did it jibe with what the manual said. After many tries to make timechart work, I gave up and explored other options , and discovered this solution in a community article : index=foobar EventCode=1234 | bucket span=1d _time | stats count by _time user | where count > 10 | xyseries _time,user,count This did return what I was looking for , but I'm not sure why one works and the other doesn't. Any suggestions as to why? ... View more