Hi,

There are 3 events that have been logged exactly at the same time say 2020-04-28 15:39:34.
When the search query is using index, the 3 events get displayed separately. But when I am using tstats command, it is combining all the 3 events as all of them have logged at the same time.

Is there any way to show these events as separate events while using tstats command?

Queries that I have used for fetching the data.

| tstats count values(Authentication.action) as Authentication.action values(Authentication.src) as Authentication.src values(Authentication.signature_id) as Authentication.signature_id values(Authentication.signature) as Authentication.signature from datamodel=Authentication where (Authentication.action=success OR Authentication.action=failure ) by _time Authentication.user Authentication.dest span=1s

The count column shows me exactly how many times the event has occurred at that particular time. So instead of this, is there any way all the events get displayed separately?

Thanks in advance.