How-To: Pass a groupBy() result to timechart()

LogScale Documentation Full Library Knowledge Base Release Notes Integrations Query Examples Training API GraphQL API Contacting Support

Reading time: 0 minutes

The groupBy() function removes the @timestamp field by default. This generally doesn't matter- unless you're trying to use something like timeChart(), which requires @timestamp to work correctly.

Here is an example query that removes @timestamp:

logscale

groupBy(ComputerName, function=selectLast(@timestamp))
| timechart(ComputerName)

To include @timestamp and other fields, pass them to an array:

logscale

groupBy(ComputerName, function=[collect([UserName, DomainName]), selectLast(@timestamp)])
| timechart(ComputerName)

Knowledge Base

How-To: Pass a groupBy() result to timechart()

Enter search term