If you want to see sum totals then just truncate _time (by day) drop the time: Then do sum using stats by day; something like this; I put total_by_day as total record count in case you want to care it down to see; but was not a field you wanted, figured would show that. search ... | eval day=strftime(_time, "%Y-%m-%d") | stats sum(fielda) as total_a, sum(fieldb) as total_b, sum(fieldc) as total_c, sum(feildd) as total_d, count as total_by_day by day | table day total_a, total_b, total_c, total_d | rename day as "Total by Field"
... View more