Hello, I am working with the timechart command on my following query and I am running into some problems. I am trying to compute:  timechart span=15m sum(ofAField) as sumOfField, avg(sumOfField) as avgOfField by task My problem with this one is that when I run it. I get the correct output for the first task but the out for the rest of the task are wrong. I am assuming that for the rest of the tasks only the sum portion of the time chart query is being calculated and not the avg. For background context there are about 11 different task this time chart is being grouped by.  TIA ... View more

Hi, hoping to get some more insight on my current problem. My problem is the following  I am using a where clause to capture data for a specific field value. If the specific value does not exist for the current time period I get the following message as a result 'No results found. Try expanding the time range.' Instead of the no results message showing up I would like to display something else. The following is an example. index=sample_idex sourcetype="smf001" | fields _time,  FIELD | lookup sample_lookup.csv system as FIELD output sample_env | eval e=if(in(sample_env, "env"), 1, 0) | where e=1 | where FIELD=="value" | table FIELD I was thinking of doing something like the following with proper syntax: | eval where FIELD=="value" else    ... View more