Splunk® Cloud Services

SPL2 Search Reference

timechart command examples

The following are examples for using the SPL2 timechart command.

1. Chart the count for each host in 1 hour increments

For each hour, calculate the count for each host value.

...| timechart span=1h count() by host

2. Chart the average of "CPU" for each "host"

For each minute, calculate the average value of "CPU" for each "host".

... | timechart span=1m avg(CPU) BY host

3. Chart the product of two averages for each host

For each minute, calculate the product of the average "CPU" and average "MEM" and group the results by each host value. This example uses an <eval-expression> with the avg stats function, instead of a <field>.

... | timechart span=1m eval(avg(CPU) * avg(MEM)) BY host

4. Chart the average of cpu_seconds by processor

Create a timechart of the average of cpu_seconds by processor, rounded to 2 decimal places.

... | timechart eval(round(avg(cpu_seconds),2)) BY processor

5. Chart the average "thruput" of hosts over time

Create a timechart of the average of the thruput field and group the results by each host value.

... | timechart span=5m avg(thruput) BY host

6. Align the chart time bins to local time

Align the time bins to 5am (local time). Set the span to 12h. The bins will represent 5am - 5pm, then 5pm - 5am (the next day), and so on.

...| timechart _time span=12h aligntime=@d+5h

See also

timechart command
timechart command overview
timechart command syntax details
timechart command usage
Last modified on 31 January, 2024
timechart command usage   timewrap command overview

This documentation applies to the following versions of Splunk® Cloud Services: current


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters