Displays, or wraps, the output of the
timechart command so that every period of time is a different series.
You can use the
timewrap command to compare data over specific time period, such as day-over-day or month-over-month. You can also use the
timewrap command to compare multiple time periods, such as a two week period over another two week period. See Timescale options.
timewrap <timewrap-span> [align=now | end] [series=relative | exact | short] [time_format=<str>]
- Syntax: [<int>]<timescale>
- Description: A span of each bin, based on time. The
timescaleis required. The
intis not required. If <int> is not specified, 1 is assumed. For example if
dayis specified for the timescale,
1dayis assumed. See Timescale options.
- Syntax: align=now | end
- Description: Specifies if the wrapping should be aligned to the current time or the end time of the search.
- Default: end
- Syntax: series=relative | exact | short
- Description: Specifies how the data series is named. If
timewrap-spanis set to week, the field names are latest_week, 1week_before, 2weeks_before, and so forth. If
series=exact, use the time_format argument to specify a custom format for the series names.
- Default: relative
- Syntax: time_format=<str>
- Description: Use with
series=exactto specify a custom name for the series. The time_format is designed to be used with the time format variables. For example, if you specify
time_format="week of %d/%m/%y", this format appears as
week of 13/2/17and
week of 20/2/17. If you specify
time_format=week of %b %d, this format appears as
week of Feb 13and
week of Feb 20. See the Usage section.
- Default: None
- Syntax: <sec> | <min> | <hr> | <day> | <week> | <month> | <quarter> | <year>
- Description: Time scale units.
Time scale Syntax Description <sec> s | sec | secs | second | seconds Time scale in seconds. <min> min | mins | minute | minutes Time scale in minutes. <hr> h | hr | hrs | hour | hours Time scale in hours. <day> d | day | days Time scale in days. <week> w | week | weeks Time scale in weeks. <month> m | mon | month | months Time scale in months. <quarter> qtr | quarter | quarters Time scale in quarters <year> y | yr | year | years Time scale in years.
timewrap command uses the abbreviation
m to refer to months. Other commands , such as
bin use the abbreviation
m to refer to minutes.
timewrap command is a reporting command.
You must use the
timechart command in the search before you use the
The wrapping is based on the end time of the search. If you specify the time range of
All time, the wrapping is based on today's date. You see this in the timestamps for the
_time field and in the data series names.
Using the time_format argument
If the format you specify does not contain any time specifiers, then all of the data series display the same name and are compressed into each other.
Display a timechart that has a span of 1 day for each count in a week over week comparison table. Each table column, which is the series, is 1 week of time.
... | timechart count span=1d | timewrap 1week
Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the timewrap command.
This documentation applies to the following versions of Splunk® Enterprise: 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.5.10, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 6.6.8, 6.6.9, 6.6.10, 6.6.11, 6.6.12, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.3.0