you dont have to use timechart. xyseries can do it too, and you dont specify a span, or an aggregating function
i.e.
index=_internal group="per_sourcetype_thruput" | xyseries _time series ev
if you dont have a series (a "by" clause - the 2nd arg to xyseries), you need to make a dummy one.
index=_internal | eval wibble="suasages" | xyseries _time wibble bytes
Hello
Have you tried just:
index=t | head 10 | timechart count by H_message_type
Regards
use this:
index=t | head 10 | timechart span=1ms list(H_message_type)
this should provide the correct chart .... at least it did for me with 5.0.1
cheers, MuS
splunk is still putting events together... _time difference is in ms...
I tried with span=1cs, but doesn't work :
[SimpleResultsTable module] invalid literal for int() with base 10: '0.01'