timechart requires the hidden field _time still exist – in this example, there is no _time field
So you’re going to need to "fake" your timechart – or you’re going to need to get _time back somehow or other
Something along these lines should work:
index=ndx ("Request" OR "Response")
| rex field=_raw "id\":\"(?<id>[a-z0-9-]+)"
| stats min(_time) as Requesttime, max(_time) as Responsetime, range(_time) as diff by id date_minute
| stats avg(diff) as avg by id date_minute
(I took out the extraneous first | table line, as it slows the search down, and | stats will yield a table when it’s completed)
from User warren – Stack Overflow https://stackoverflow.com/questions/70753282/splunk-how-to-get-a-timechart-regarding-the-extracted-time-values-for-which-ra/70760078#70760078
via IFTTT