timechart
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
timechart
Synopsis
Creates a time series chart with corresponding table of statistics.
Syntax
timechart [cont=<bool>] [limit=<int>] [agg=<stats-agg-term>] [<bucketing-option> ]* (<single-agg> [by <split-by-clause>] ) | ( (<eval-expression>) by <split-by-clause> )
Arguments
- agg
- Datatype: <stats-agg-term>
- Description: For a list of stats functions with descriptions and examples, see "Functions for stats, chart, and timechart".
- bucketing-option
- Datatype: bins | span | <start-end>
- Description: Discretization options. If a bucketing option is not supplied,
timechartdefaults tobins=300. This finds the smallest bucket size that results in no more than 300 distinct buckets. For more bucketing options, see the bucket command reference.
- cont
- Datatype: <bool>
- Description: Specifies whether its continuous or not.
- eval-expression
- Datatype: <eval-math-exp> | <eval-concat-exp> | <eval-compare-exp> | <eval-bool-exp> | <eval-function-call>
- Description: A combination of literals, fields, operators, and functions that represent the value of your destination field. The following are the basic operations you can perform with eval. For these evaluations to work, your values need to be valid for the type of operation. For example, with the exception of addition, arithmetic operations may not produce valid results if the values are not numerical. Additionally, Splunk can concatenate the two operands if they are both strings. When concatenating values with '.', Splunk treats both values as strings regardless of their actual type.
- limit
- Datatype: <int>
- Description: Specify a limit for series filtering; limit=0 means no filtering.
- single-agg
- Datatype: count|<stats-func>(<field>)
- Description: A single aggregation applied to a single field (can be evaled field). No wildcards are allowed. The field must be specified, except when using the special 'count' aggregator that applies to events as a whole.
- split-by-clause
- Datatype: <field> (<tc-option>)* [<where-clause>]
- Description: Specifies a field to split by. If field is numerical, default discretization is applied; discretization is defined with tc-option.
tc options
- tc-option
- Syntax: <bucketing-option> | usenull=<bool> | useother=<bool> | nullstr=<string> | otherstr=<string>
- Description: Options for controlling the behavior of splitting by a field.
- usenull
- Datatype: <bool>
- Description: controls whether or not a series is created for events that do not contain the split-by field.
- nullstr
- Datatype: <string>
- Description: If usenull is true, this series is labeled by the value of the nullstr option, and defaults to NULL.
- useother
- Datatype: <bool>
- Description: specifies if a series should be added for data series not included in the graph because they did not meet the criteria of the <where-clause>. Defaults to True|T.
- otherstr
- Dataype: <string>
- Description: If useother is true, this series is labeled by the value of the otherstr option, and defaults to OTHER.
where clause
- where clause
- Syntax: <single-agg> <where-comp>
- Description: Specifies the criteria for including particular data series when a field is given in the tc-by-clause. The most common use of this option is to select for spikes rather than overall mass of distribution in series selection. The default value finds the top ten series by area under the curve. Alternately one could replace sum with max to find the series with the ten highest spikes.This has no relation to the where command.
- <where-comp>
- Syntax: <wherein-comp> | <wherethresh-comp>
- Description: A criteria for the where clause.
- <wherein-comp>
- Syntax: (in|notin) (top|bottom)<int>
- Description: A where-clause criteria that requires the aggregated series value be in or not in some top or bottom grouping.
- <wherethresh-comp>
- Syntax: (<|>)( )?<num>
- Description: A where-clause criteria that requires the aggregated series value be greater than or less than some numeric threshold.
Description
Create a chart for a statistical aggregation applied to a field against time as the x-axis. Data is optionally split by a field so that each distinct value of this split-by field is a series. Optionally use an eval-expression, in which case the split-by-clause is required. The limit and agg options allow easier specification of series filtering, but are ignored if an explicit where-clause is provided. (limit=0 means no series filtering.)
Examples
Example 1: Compute the product of the average "CPU" and average "MEM" each minute for each "host"
... | timechart span=1m eval(avg(CPU) * avg(MEM)) by hostExample 2: Create a timechart of the count of from "web" sources by "host"
... | timechart count by hostExample 3: Display timechart of the avg of cpu_seconds by processor rounded to 2 decimal places.
... | timechart eval(round(avg(cpu_seconds),2)) by processorExample 4: Calculate the average value of "CPU" each minute for each "host".
... | timechart span=1m avg(CPU) by hostExample 5: Create a timechart of average "cpu_seconds" by "host", and remove data (outlying values) that may distort the timechart's axis.
... | timechart avg(cpu_seconds) by host | outlier action=tfExample 6: Graph the average "thruput" of hosts over time.
... | timechart span=5m avg(thruput) by hostExample 7: Example usage
... | timechart span=5m avg(delay) by hostExample 8: Example usage
sourcetype=access_combined | timechart span=1m count(_raw) by product_id usenull=fExample 9: Example usage
sshd failed OR failure | timechart span=1m count(eventtype) by source_ip usenull=f where count>10See also
This documentation applies to the following versions of Splunk: 4.0 , 4.0.1 , 4.0.2 , 4.0.3 , 4.0.4 , 4.0.5 , 4.0.6 , 4.0.7 , 4.0.8 , 4.0.9 , 4.0.10 , 4.0.11 View the Article History for its revisions.