Cool, so you're all set then?

hey,

renaming _time works. just try out a very simple search:

your search | eval _time=now() | timechart count

I don't think calling _indextime _time is going to change the time used by timechart.
I think what you want to do is extract the minute from the _indextime field, and then count by that minute.

Hi,

but this search is using _time and not the indextime, right? And _time is using a timestamp of the event.
So for my purposes the timechart should use the indextime.

Could this be a correct approach?

index=* | rename _indextime AS _time | timechart span=1min count | sort 0 - _time

I get results, but have to option to check them back

Thanks, learn something new every day. Also, learned that this search I posted give the wrong results... Updating it now.

FYI, _indextime=* is unnecessary as all events have the _indextime field

The sort and the table commands are likewise unneeded, as stats already does these functions.

Otherwise, this is fine.

I downvoted this post because the link no longer works.

@ahjmcaleer, down voting a over three years old post is pretty harsh .... but I'm also here to help, so find the most recent link here http://docs.splunk.com/Documentation/Splunk/6.5.1/SearchReference/Eventstats

I'm looking forward for your upvote 😉

Hey MuS,

thanks for the new input. This search works fine and gives the same results as the search I tried out earlier:

index=* | rename _indextime AS _time | timechart span=1min count | sort 0 - _time

Hi Heinz, now that I'm able to test things I would suggest that you use something like this:

index=* | bucket span=1m _indextime | eval myTime=strftime(_indextime, "%+") | chart count by myTime

timechart uses _time underneeth and with chart you can define 'over' and 'by' clauses.

Maybe something like

YourSearch | bucket _indextime span=1m | stats count by _indextime

Hi,

I already had a look at this, but don't know how to achieve me goal with it