Create a horizon chart query

To generate a horizon chart, write a query that returns events in the correct data format.

Query syntax

To generate a horizon chart, use this query syntax.

... | timechart <stats_function> by <resource_field>

Query components

timechart

Generates the _time field indicating the start time for the behavior you are tracking.

<stats_function>

Use a <stats_function> to aggregate the metric you are tracking by resource.

<resource_field>

Indicates resources in the set you are monitoring.

Search result data formatting

A horizon chart query returns results in a table with multiple columns. The first column must have _time field values. Additional columns represent resources in the set you are monitoring.

Check the Statistics tab after running a query to make sure that the results table includes the correct columns in the required order.

Results table columns

Query examples

Aggregating by resource over time

This query tracks recent earthquake activity by location.

source="earthquakes.csv" | timechart count by Region

This query generates a results table with columns for the _time field and each region.

Additional data formatting options

Here is a more complex example. This query tracks host activity by measuring byte transfers across a group of servers.

| inputlookup firewall_data.csv 
| eval _time = timestamp 
| eval bytes_out = -bytes_out                                         
| timechart span=10s sum(bytes_in) sum(bytes_out) by server_name      
| table _time *sv111 *sv18 *sv19 *sv2 *sv241 *sv248 *sv254 *sv8       

The query includes the following optional data formatting.

• eval bytes_out = -bytes_out

Inverts the bytes_out to compare incoming and outgoing traffic more easily.

• timechart span=10s ...

Summarizes traffic in ten second spans.

• ... sum(bytes_in) sum(bytes_out) by server_name

Aggregates the incoming and outgoing series so that they are easier to compare.