The Splunk timechart command generates a table of summary statistics. This table can then be formatted as a chart visualization, where your data is plotted against an x-axis that is always a time field. Use the timechart command to display statistical trends over time You can split the data with another field as a separate series in the chart. Time chart visualizations are usually line, area, or column charts.
Use the timechart command, the x-axis represents time. The y-axis can be any other field value, count of values, or statistical calculation of a field value.
Syntax: timechart [sep=<string>] [partial=<bool>] [cont=<t|f>] [limit=<int>] [agg=<stats-agg-term>] [<bucketing-option> ]* (<single-agg> [by <split-by-clause>] ) | ( (<eval-expression>) by <split-by-clause> )
When specifying timechart arguments, either <single-agg> or <eval-expression> BY <split-by-clause> is required.
split-by-clause
Syntax: <field> (<tc-option>)* [<where-clause>]
Description: Specifies a field to split by. If field is numerical, default discretization is applied; discretization is defined with tc-option.
single-agg
Syntax: count|<stats-func>(<field>)
Description: A single aggregation applied to a single field (can be evaled field). No wildcards are allowed. The field must be specified, except when using the special 'count' aggregator that applies to events as a whole.
eval-expression
Syntax: <math-exp> | <concat-exp> | <compare-exp> | bool-exp> | <function-call>
Description: A combination of literals, fields, operators, and functions that represent the value of your destination field. The following are the basic operations you can perform with eval. For these evaluations to work, your values need to be valid for the type of operation. For example, with the exception of addition, arithmetic operations may not produce valid results if the values are not numerical. Additionally, Splunk can concatenate the two operands if they are both strings. When concatenating values with '.', Splunk treats both values as strings regardless of their actual type.
agg
Syntax: <stats-agg-term>
Description: See the Stats functions section below. For a list of stats functions with descriptions and examples, see"Functions for stats, chart, and timechart".
Accelerate Your Career With Splunk Training and become expertise Splunk Developer.
bucketing option
Syntax: bins | minspan | span | <start-end>
Description: Discretization options. If a bucketing option is not supplied, timechart defaults to bins=100. bins sets the maximum number of bins, not the target number of bins.
agg=<stats-agg-term>
Syntax: <stats-agg-term>
Description: See the Stats functions section below. For a list of stats functions with descriptions and examples, seeStatistical and charting functions in this manual.
bin-options
Syntax: bins | minspan | span | <start-end>
Description: Options that you can use to specify discreet bins, or groups, to organize the information. The bin-optionsset the maximum number of bins, not the target number of bins. See the Bin options section in this topic.Default: bins=100
fixedrange
Syntax: fixedrange=<bool>
Description: (Not valid for 4.2) Specify whether or not to enforce the earliest and latest times of the search. Setting fixedrange=false allows the timechart command to constrict to just the time range with valid data.Default: true
format
Syntax: format=<string>
Description: Used to construct output field names when multiple data series are used in conjunction with a split-by-field. format takes precedence over sep and allows you to specify a parameterized expression with the stats aggregator and function ($AGG$) and the value of the split-by-field ($VALUE$).
limit
Syntax: limit=<int>
Description: Specifies a limit for the number of distinct values of the split-by field to return. If set to limit=0, all distinct values are used. Setting limit=N keeps the N highest scoring distinct values of the split-by field. All other values are grouped into 'OTHER', as long as useother is not set to false.
-The scoring is determined as follows:
timechart avg(foo) BY <field> the avg(foo) values are added up for each value of <field> to determine the scores.timechart avg(foo) max(bar) BY <field>, the top scoring values for <field> are the most common values of <field>.split-by
partial
Syntax: partial=<bool>
Description: Controls if partial time bins should be retained or not. Only the first and last bin can be partial.
Default: True. Partial time bins are retained.
sep
Syntax: sep=<string>
Description: Used to construct output field names when multiple data series are used in conjunctions with a split-by field. This is equivalent to setting format to $AGG$<sep>$VALUE$.
Stats options stats-agg-term
Syntax: <stats-func> ( <evaled-field> | <wc-field> ) [AS <wc-field>]
Description: A statistical aggregation function. Use the AS clause to place the result into a new field with a name that you specify. The function can be applied to an eval expression, or to a field or set of fields. You can use wild card characters in field names.
stats-function
Syntax: avg() | c() | count() | dc() | distinct_count() | earliest() | estdc() | estdc_error() | exactperc<int>() | first() | last() | latest() | list() | max() | median() | min() | mode() | p<in>() | perc<int>() | per_day() | per_hour() | per_minute() | per_second() |range() | stdev() | stdevp() | sum() | sumsq() | upperperc<int>() | values() | var() | varp()
Description: Functions you can use with the timechart command. Each time you invoke the timechart command, you can specify more than one function.
<start-end>
Syntax: end=<num> | start=<num>
Description:Sets the minimum and maximum extents for numerical bins. Data outside of the [start, end] range is discarded.
Span options <log-span> Syntax: [<num>]log[<num>] Description: Sets to log-based span. The first number is a coefficient. The second number is the base. If the first number is supplied, it must be a real number >= 1.0 and < base. Base, if supplied, must be real number > 1.0 (strictly greater than 1). span-length Syntax: <int>[<timescale>] Description: A span of each bin, based on time. If the timescale is provided, this is used as a time range. If not, this is an absolute bin length. <timescale> Syntax: <sec> | <min> | <hr> | <day> | <week> | <month> | <subseconds>
Description: Time scale units.
| Time scale | Syntax | Description |
|---|---|---|
| <sec> | s | sec | secs | second | seconds | Time scale in seconds. |
| <min> | m | min | mins | minute | minutes | Time scale in minutes. |
| <hr> | h | hr | hrs | hour | hours | Time scale in hours. |
| <day> | d | day | days | Time scale in days. |
| <month> | mon | month | months | Time scale in months. |
| <subseconds> | us | ms | cs | ds | Time scale in microseconds (us), milliseconds (ms), centiseconds (cs), or deciseconds (ds) |
The <tc-option> is part of the <split-by-clause>.
Syntax: usenull=<bool>
Description: Controls whether or not a series is created for events that do not contain the split-by field.
useother
Syntax: useother=<bool>
Description: Specifies if a series should be added for data series not included in the graph because they did not meet the criteria of the <where-clause>.
Default: True
The <where-clause> is part of the <split-by-clause>.
The timechart command accepts either the bins argument OR the span argument. If you do not specify either binsor span, the timechart command uses the default bins=100.
It you use the predefined time ranges in the time range picker, and do not specify the span argument, the following table shows the default span that is used.
| Time range | Default span |
|---|---|
| Last 15 minutes | 10 seconds |
| Last 60 minutes | 1 minute |
| Last 4 hours | 5 minutes |
| Last 24 hours | 30 minutes |
| Last 7 days | 1 day |
| Last 30 days | 1 day |
| Previous year | 1 month |
For an Indepth knowledge on Splunk, click on below
You liked the article?
Like: 0
Vote for difficulty
Current difficulty (Avg): Medium
TekSlate is the best online training provider in delivering world-class IT skills to individuals and corporates from all parts of the globe. We are proven experts in accumulating every need of an IT skills upgrade aspirant and have delivered excellent services. We aim to bring you all the essentials to learn and master new technologies in the market with our articles, blogs, and videos. Build your career success with us, enhancing most in-demand skills in the market.
