Hello guys. Can i hitch on this to further check, how do i include timestamp for each match? If i add by _time (in red below), the output is automatically bucket. If i specify span=1s, can i still pipe the result timechart span=1d? | tstats count from datamodel=Network_Traffic.All_Traffic by _time span=1s, All_Traffic.src, All_Traffic.dest, All_Traffic.action, All_Traffic.dest_port, All_Traffic.bytes, sourcetype The desired output is for each match to carry _time, src, dst, ports fields, which can be used to generate timechart.
... View more