You need _time for that, which is a different "event faker" command. This generates test data...
| gentimes start="01/25/2017:23:00:00" end="01/27/2017:01:00:00" increment=23m
| streamstats count as baseEvent | eval series="A"
| append[| gentimes start="01/26/2017:03:00:00" end="01/26/2017:21:00:00" increment=47m | streamstats count as baseEvent | eval series="B"]
| append[| gentimes start="01/26/2017:01:17:00" end="01/26/2017:23:18:00" increment=21m | streamstats count as baseEvent | eval series="C"]
| eval _time=starttime
| eval "types.events.1" = tonumber(substr(tostring(random()),1,2))
| eval "types.events.2" = tonumber(substr(tostring(random()),1,3))
| eval "types.events.3" = tonumber(substr(tostring(random()),2,2))
| table _time types.events.*
... this adds the totals...
| addtotals row=t col=f fieldname="types.events.total" "types.events.*"
... then this timecharts the results...
| timechart span=1h sum("types.events.*") as "types.events.*"
That's spanned at the 1h level because my transaction faker is set up to generate transactions every few minutes across a few days, but you can use it however you want.
... View more