timechart command examples
The following are examples for using the SPL2 timechart command.
1. Chart the count for each host in 1 hour increments
For each hour, calculate the count for each host value.
...| timechart span=1h count() by host
2. Chart the average of "CPU" for each "host"
For each minute, calculate the average value of "CPU" for each "host".
... | timechart span=1m avg(CPU) BY host
3. Chart the product of two averages for each host
For each minute, calculate the product of the average "CPU" and average "MEM" and group the results by each host value. This example uses an <eval-expression> with the avg stats function, instead of a <field>.
... | timechart span=1m eval(avg(CPU) * avg(MEM)) BY host
4. Chart the average of cpu_seconds by processor
Create a timechart of the average of cpu_seconds by processor, rounded to 2 decimal places.
... | timechart eval(round(avg(cpu_seconds),2)) BY processor
5. Chart the average "thruput" of hosts over time
Create a timechart of the average of the thruput field and group the results by each host value.
... | timechart span=5m avg(thruput) BY host
6. Align the chart time bins to local time
Align the time bins to 5am (local time). Set the span to 12h. The bins will represent 5am - 5pm, then 5pm - 5am (the next day), and so on.
...| timechart _time span=12h aligntime=@d+5h
See also
| timechart command usage | timewrap command overview |
This documentation applies to the following versions of Splunk® Cloud Services: current
Download manual
Feedback submitted, thanks!