Ah, perfect. That was what I needed (_raw). Right, I want them to use the timestamp from the event. I am surprised this isn't an example in the documentation seems normal for any custom log to remove everything but the item you want to chart. Then again, maybe everyone defines fields on input so they don't need to do this. I prefer the front-end manipulation then the back-end especially for things that may change. Anyhow, thank you.

on another note, if you don't want to "group" time, and just want the event to use the timestamp from the event, your search would end in: "chart sum(_raw) as "Blah" by _time". If for some reason you have events that occur on the same second, and the sum(_raw) won't work for you, you can also use xyseries. |xyseries 1stColumn 2ndColumn-name 2ndColumn-Data. Try xyseries _time host _raw. Might work for ya.

If you are using rex to strip out all words and only leave the number, then you can use the _raw field in your search: timechart span="1d" sum(_raw) as "Blah"

I really need to see what your event looks like, in order to "chart" something, you need an x and a y value. Using the timechart command we are telling splunk your x value is the "time" and the Y value is a "field". Splunk assumes there are going to be multiple events during a block of time, so you have to specify how to handle it. The sum of a field, when it is the only event, only duplicates the value. If there were 2 events during a 24hr period, it'd add them together. "timechart span="1d"" tells the x axis to be grouped in 1 day increments. You just need your number stored in a field

I tried " timechart span="24hr" sum("field") as "field" " and the column named field is blank. If I remove the timechart, I have the values in the events. I am expecting the values once every 24hrs. No need to sum anything, I just want the raw values charted. Where am I defining "field" or is that supposed to read stdin?