Splunk® Enterprise

Search Reference

Acrobat logo Download manual as PDF


Splunk Enterprise version 7.2 is no longer supported as of April 30, 2021. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
Acrobat logo Download topic as PDF

sitimechart

Summary indexing is a method you can use to speed up long-running searches that do not qualify for report acceleration, such as searches that use commands that are not streamable before the transforming command. For more information, see "About report accelleration and summary indexing" and "Use summary indexing for increased reporting efficiency" in the Knowledge Manager Manual.

Description

The sitimechart command is the summary indexing version of the timechart command, which creates a time-series chart visualization with a corresponding table of statistics. The sitimechart command populates a summary index with the statistics necessary to generate a timechart report. After you use an sitimechart search to populate the summary index, use the regular timechart command with the exact same search string as the sitimechart search to report against the summary index.

Syntax

The required syntax is in bold.

sitimechart
[sep=<string>]
[partial=<bool>]
[cont=<bool>]
[limit=<int>]
[agg=<stats-agg-term>]
[<bin-options>... ]
<single-agg> [BY <split-by-clause>] | <eval-expression> BY <split-by-clause>

When specifying sitimechart command arguments, either <single-agg> or <eval-expression> BY <split-by-clause> is required.

For descriptions of each of these arguments, see the timechart command.

Usage

Supported functions

You can use a wide range of functions with the sitimechart command. For general information about using functions, see Statistical and charting functions.

Examples

Example 1:

Use the collect command to populate a summary index called mysummary with the statistics about CPU usage organized by host,

... | sitimechart avg(cpu) BY host | collect index=mysummary

The collect command adds the results of a search to a summary index that you specify. You must create the summary index before you invoke the collect command.

Then use the timechart command with the same search to generate a timechart report.

index=mysummary | timechart avg(cpu) BY host

See also

collect, overlap, sichart, sirare, sistats, sitop

Last modified on 29 October, 2020
PREVIOUS
sistats
  NEXT
sitop

This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.5, 8.0.10, 7.2.1, 7.0.1, 8.0.4, 8.0.9, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.2.0, 8.0.6, 8.0.7, 8.0.8


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters