Is your feature request related to a problem?
Using PPL version 3.4.0.

The timechart command implicitly requires a timestamp field which must be name exactly @timestamp. When the index has a timestamp column with a different name, the command fails by a runtime error. In the example below, the ocsf-1.1.0-4003 index has a timestamp column named time

source=ocsf-1.1.0-4003
| where TIMESTAMPDIFF(HOUR, time, NOW()) <= 24
| where rcode='NXDomain'
| timechart span=1h COUNT()

Failed with error

{
  "error": {
    "reason": "Invalid Query",
    "details": "Field [@timestamp] not found.",
    "type": "IllegalArgumentException"
  },
  "status": 400
}

What solution would you like?
Provide the timechart command with an option timefield=<FieldName> to use a user-defined timestamp column. The inital query above would then become

timechart timefield=time span=1h COUNT() by rcode

What alternatives have you considered?
As of 2025-10-15, using PPL 3.4.0. The workaround is simply to rename the existing timestamp field to @timestamp to satisfy the implicit harcoded field name required by timechart

source=ocsf-1.1.0-4003
| where TIMESTAMPDIFF(HOUR, time, NOW()) <= 24
| where rcode='NXDomain'
| rename time as @timestamp
| timechart span=1h COUNT()