Summarize events over time using timechart
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Summarize events over time using timechart
Splunk's timechart command allows you to chart events over time and do some statistical calculations. timechart is just one of Splunk's reporting commands, which you can use to analyze your results. To use a reporting command, you take the output of a search and use the pipe operator (|) to direct the search to the command. For more information about reporting commands, see Use Reporting Commands in the User manual.
This topic shows how to switch to the advanced charting view, see the average duration per minute of your transactions, and how to split the chart out by the activityType field.
Switch views
When you are interested in reporting commands such as chart or stats, rather than individual events, the standard timeline view in the Search app can be slow. Instead, you can switch to the "Advanced Charting View" to view your results.
To switch views:
Note: If you have the search you want in the search bar, copy it before switching views. Search text is not persisted when you change views.
1. Select Advanced Charting from the Views menu.
Use timechart
To use timechart to compute the average duration over time of the different activities:
1. Start by searching for the events you want to analyze.
eventtype="CONTENT_EVENTS" | transaction accountNumber subscriberID maxspan=1m maxpause=30s 2. Pipe the output of your search to the timechart command.
eventtype="CONTENT_EVENTS" | transaction accountNumber subscriberID maxspan=1m maxpause=30s | timechart span=1m avg(duration) This search uses the following arguments to timechart:
-
span: sets the size of the time "buckets", that is the time interval you're averaging over. -
avg: computes the average (mean) value of the specified field. Here you use the generateddurationfield from the transaction command.
3. Select Last 60 minutes from the time picker. You see a column chart showing the averages.
4. Scroll down to see a table of the results.
You can use the Formatting Options to change the appearance of the chart. For example, you can choose another kind of chart from the Chart type menu.
5. Choose line from the Chart type menu and click Apply.
Chart multiple values
You can use the by argument to the timechart command to make the chart more interesting. by splits the chart by a field you specify and charts the average duration for each value of the field.
To find the average duration by activityCode:
1. Extend your search using by activityCode.
eventtype="CONTENT_EVENTS" | transaction accountNumber subscriberID
maxspan=1m maxpause=30s | timechart span=1m avg(duration) by activityCodeThings to know:
-
by: splits the results out to show separate values for differentactivityCodes.
Your results for this search are more interesting:
2. To change the chart view, change the formatting options. Select column as the Chart type and choose stacked as the Stack mode. Let's give it a title -- Average Duration by Activity Code.
Save the report
This is pretty cool, and of course you want to save it.
1. Make sure you have run the search you want as a report.
eventtype="CONTENT_EVENTS" | transaction accountNumber subscriberID maxspan=1m maxpause=30s | timechart span=1m avg(duration) by activityCode2. Click Save search at the right of the Splunk GUI window or select Save search... from the Actions menu.
3. Enter Average Duration by Activity Code for the Name. This is the name that will appear on the Splunk menus and in the Splunk Searches & Reports window. It can be different from the name that appears on the report.
4. Enter -65m@m for Start time and -5m for Finish time. This sets the report to look for events that finished at least five minutes before the report is run. Because there can be a lag between the time when events occur and when they are finalized in the index, a time offset ensures that the report captures all the results in the specified time interval. It also runs it on the minute (@m).
Schedule the report
This is something you want to see every hour, regardless of the results. To schedule the report to run hourly:
1. Select Schedule this search.
2. Select Basic as the Schedule type and set the search to Run every hour.
3. Select always from the Alert Conditions > Perform Actions menu.
4. Select Send email under Alert Actions.
5. Enter the email address where you want the alert sent. For example, some_admin@myco.com,another_admin@myco.com. By default, alerts are sent from splunk@<splunk-hostname> with the subject SplunkAlert-<savedsearchname>.
6. Click Save.
Note: In order to send email, you must set up your MTA in Manager > System Settings > Email alert settings.
This documentation applies to the following versions of Splunk: 4.1 , 4.1.1 , 4.1.2 , 4.1.3 , 4.1.4 , 4.1.5 , 4.1.6 , 4.1.7 , 4.1.8 View the Article History for its revisions.