Splunk® Cloud Services

SPL2 Search Reference

timechart command syntax details


The required syntax is in bold.

[sep=<string>] [format=<string>] [partial=<boolean>] [cont=<boolean>] [fixedrange=<boolean>] [limit=<int>]
[agg=<aggregation>] [<bin-options>... ]
( (<single-aggregate> [BY <split-by-clause>] ) | (<eval-expression>) BY <split-by-clause> ) )

Required arguments

When using the timechart command, you must specify either a <single-aggregate> or an <eval-expression> with a BY clause.

Syntax: count "(" ")" | <stats-function>"("<field>")"
Description: An aggregation applied to a single field, including an evaluated field. For <stats-function>, see stats-function in the Optional arguments section. No wildcards are allowed in the field name. A field must be specified, except when using the count() function, which applies to all events instead of a specific field.
Syntax: <math-expression> | <concatenation-expression> | <comparison-expression> | <boolean-expression> | <function>
Description: A combination of literals, fields, operators, and functions that represent the value of your field. For these evaluations to work, your field values need to be valid for the type of operation. For example, with the exception of addition, arithmetic operations might not produce valid results if the values are not numerical. Additionally, the search can concatenate the two values if they are both strings. When concatenating values with a period '+' the search treats both values as strings, regardless of their actual data type.

If you use an <eval-expression>, the <split-by-clause> is required.

Syntax: BY <field> [<timechart-options>]...
Description: A field to group the results by. If <field> is numerical, default discretization is applied. You can specify <timechart-options> to apply specific discretizations. You can only use one <split-by-clause>. See the Timechart options section.

Optional arguments

Syntax: agg=( <stats-function> ( <field> ) [AS <field>] )
Description: A statistical aggregation function. See Quick Reference for SPL2 Stats and Charting Functions. The function can be applied to an eval expression, or to a field or set of fields. Use the AS clause to place the result into a new field with a name that you specify. You can use wild card characters in field names. With the limit and agg options, you can specify series filtering. If you set limit=0, no series filtering occurs.
Syntax: bins | minspan | span | <start-end> | aligntime
Description: Options that you can use to specify discreet bins, or groups, to organize the information. The <bin-options> set the maximum number of bins, not the target number of bins. For an explanation of these options, see the Bins options section in this topic.
Default: bins=100
Syntax: cont=<boolean>
Description: Specifies whether the timechart is continuous or not. If set to true, any time gaps are filled in.
Default: true
Syntax: fixedrange=<boolean>
Description: Specifies whether or not to enforce the earliest and latest times of the search. Setting fixedrange=false allows the timechart command to constrict or expand to the time range covered by all events in the dataset.
Default: true
Syntax: format=<string>
Description: Used to construct output field names when multiple data series are used in conjunction with a split-by field. The format option takes precedence over the sep option. You can specify a parameterized expression with the stats aggregator and function ($AGG$) and the value of the split-by field ($VAL$).
Syntax: limit=<int>
Description: Specifies a limit for the number of distinct values of the split-by field to return. With the limit and agg options, you can specify series filtering. If you set limit=0, no series filtering occurs and all distinct values are used. Setting limit=N keeps the N highest scoring distinct values of the split-by field. All other values are grouped into the 'OTHER' field, as long as useother is not set to false. The scoring is determined as follows:
  • If a single aggregation is specified, the score is based on the sum of the values in the aggregation for that split-by value. For example, for timechart avg(foo) BY <field> the avg(foo) values are added up for each value of <field> to determine the scores.
  • If multiple aggregations are specified, the score is based on the frequency of each value of <field>. For example, for timechart avg(foo) max(bar) BY <field>, the top scoring values for <field> are the most common values of <field>.
  • Ties in scoring are broken lexicographically, based on the value of the split-by field. For example, 'BAR' takes precedence over 'bar', which takes precedence over 'foo'. See timechart command usage.
Syntax: partial=<boolean>
Description: Controls if partial time bins should be retained or not. Only the first and last bin can be partial.
Default: True. Partial time bins are retained.
Syntax: sep=<string>
Description: Used to construct output field names when multiple data series are used in conjunctions with a split-by field. This is equivalent to setting format to $AGG$<sep>$VAL$.
Syntax: The syntax depends on the function that you use.
Description: Statistical functions that you can use with the timechart command. Each time you invoke the timechart command, you can use one or more functions. See timechart command usage.
For a list and description of the supported statistical and charting functions, see Quick Reference for SPL2 Stats and Charting Functions.

Bins options

Syntax: bins=<int>
Description: Sets the maximum number of bins to discretize into. This does not set the target number of bins. It finds the smallest bin size that results in no more than N distinct bins. Even though you specify a number such as 300, the resulting number of bins might be much lower.
Default: 100
Syntax: minspan=<span-length>
Description: Specifies the smallest span granularity to use automatically inferring span from the data time range. See timechart command usage.
Syntax: span=<log-span> | span=<span-length> | span=<snap-to-time>
Description: Sets the size of each bin, using either a log-based span, a span length based on time, or a span that snaps to a specific time. For descriptions of each of these options, see the Span options section. For more information about specifying spans, see Specifying time spans in the SPL2 Search Manual.

The starting time of a bin might not match your local timezone. See timechart command usage.

Syntax: end=<num> | start=<num>
Description: Sets the minimum and maximum extents for numerical bins. Data outside of the [start, end] range is discarded.
Syntax: aligntime=(earliest | latest | <time-specifier>)
Description: Align the bin times to something other than base UNIX time (epoch 0). The aligntime option is valid only when doing a time-based discretization. Ignored if span is in days, months, or years.

Span options

Syntax: [<num>]log[<num>]
Description: Sets a log-based span. The first number is a coefficient. The second number is the base. If the first number is supplied, it must be a real number >= 1.0 and < the base. Base, if supplied, must be real number > 1.0 (strictly greater than 1).
Syntax: <int>[<timescale>]
Description: A span of each bin, based on time. If the timescale is provided, this is used as a time range. If not, this is an absolute bin length.
Syntax: <sec> | <min> | <hr> | <day> | <week> | <month> | <subseconds>
Description: Timescale units.
Default: <sec>
Timescale Valid syntax Description
<sec> s | sec | secs | second | seconds Time scale in seconds
<min> m | min | mins | minute | minutes Time scale in minutes
<hr> h | hr | hrs | hour | hours Time scale in hours
<day> d | day | days Time scale in days
<week> w | week | weeks Time scale in weeks
<month> mon | month | months Time scale in months
<subseconds> us | ms | cs | ds Time scale in microseconds (us), milliseconds (ms), centiseconds (cs), or deciseconds (ds)
Syntax: [+|-] [<time_integer>] <relative-time-unit>@<snap-to-time-unit>
Description: A span of each bin, based on a relative time unit and a snap to time unit. The <snap-to-time> must include the <relative-time-unit>, the @ symbol, and the <snap-to-time-unit>. The offset, represented by the plus (+) or minus (-) is optional. If the <time_integer> is not specified, 1 is the default. For example if you specify w as the <relative-time-unit>, 1 week is assumed.

The snap-to-time option is only used with the week timescale unit. It cannot be used with other timescale units such as minutes or quarters.

Timechart options

The <timechart-options> are part of the <split-by-clause> and must be specified after the BY keyword. See the Required arguments section.

Syntax: <bin-options> | usenull=<bool> | useother=<bool> | nullstr=<string> | otherstr=<string>
Description: Timechart options for controlling the behavior of splitting by a field. See the Bins options section.
Syntax: nullstr=<string>
Description: If usenull=true, specifies the label for the series that is created for events that do not contain the split-by field.
Default: NULL
Syntax: otherstr=<string>
Description: If useother=true, specifies the label for the series that is created in the table and the graph.
Default: OTHER
Syntax: usenull=<bool>
Description: Controls whether or not a series is created for events that do not contain the split-by field. The label for the series is controlled by the nullstr option.
Default: true
Syntax: useother=<bool>
Description: You specify which series to include in the results table by using the agg and limit options. The useother option specifies whether to merge all of the series not included in the results table into a single new series. If useother=true, the label for the series is controlled by the otherstr option.
Default: true

See also

timechart command
timechart command overview
timechart command usage
timechart command examples
Last modified on 03 June, 2023
timechart command overview   timechart command usage

This documentation applies to the following versions of Splunk® Cloud Services: current

Was this topic useful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters