but then it won't be by time also , no ?

The best way to understand the choice made by chart command is to draw a chart manually.  If you cannot draw a chart with two group-by series, chart is correct. (Same with timechart.  I also wonder why you opt to use chart over _time instead of just timechart.)  If you can draw such a chart, chances are that it should either be a stats chart as @SanjayReddy suggested - stats can also use _time, just not in the same form as chart over _time; or it would be something like @gcusello suggested, i.e., "banding" two series into a single series.

To chart over time you use the timechart command. It is a functional equivalent of charting over _time with a bin command applied beforehand. It's just shorter and more straightforward.

But both timechart and chart work over only one category field. If you want to analyze time series over more than one variable fields you need to combine them into a single artificial field. For example (yes, I know this particular search would be more effective with tstats insteads of stats but that's just to show the general idea):

index=_internal earliest=-2h
| eval series=sourcetype."-".host
| timechart span=10m count by series

its returns very weird results:

Hi @sarit_s ,

as I said, I don't know if the solution is acceptable for you, this is a workaround because it isn't possible to group from more than one field.

Ciao.

Giuseppe

Maybe you can illustrate your sample data in text (anonymize as needed) and explain why the result is "weird"? (I.e., explain the logic between your data and desired output.)  What is the desired result? (I.e., manually chart the result yourself as I suggested above.)

Also, do UserAgent and LoginType always appear in the same event?