Splunk Cloud

Search Reference

Download manual as PDF

Download topic as PDF


Summary indexing is a method you can use to speed up long-running searches that do not qualify for report acceleration, such as searches that use commands that are not streamable before the reporting command. For more information, see "About report accelleration and summary indexing" and "Use summary indexing for increased reporting efficiency" in the Knowledge Manager Manual.


The sitimechart command is the summary indexing version of the timechart command, which creates a time-series chart visualization with the corresponding table of statistics. The sitimechart command populates a summary index with the statistics necessary to generate a timechart report. After you populate the summary index, use the regular timechart command with the exact same search string as the sitimechart command search to report against it.



sitimechart [sep=<string>] [partial=<bool>] [cont=<bool>] [limit=<int>] [agg=<stats-agg-term>] [<bin-options>... ] (<single-agg> [BY <split-by-clause>] ) | (<eval-expression> BY <split-by-clause>)

For syntax descriptions, refer to the timechart command.

For information about functions that you can use with the timechart command, see Statistical and charting functions.


Example 1:

Compute the necessary information to later do 'timechart avg(foo) by bar' on summary indexed results.

... | sitimechart avg(foo) by bar

See also

collect, overlap, sichart, sirare, sistats, sitop


Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the sitimechart command.

Last modified on 07 August, 2019

This documentation applies to the following versions of Splunk Cloud: 7.0.11, 7.0.13, 7.1.6, 7.2.4, 7.1.3, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 8.0.2001

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters