Hi All,
I understand that timechart uses _time as x-axis?
But why cant we use | chart count over _time instead of | timechart count?
You should add a bin
command before you use chart
. Like this
... | bin _time | chart count over _time
http://docs.splunk.com/Documentation/Splunk/6.1.2/SearchReference/Bin