Create time-based charts
This topic discusses using the timechart command to create time-based reports.
The timechart command
The timechart command generates a table of summary statistics. This table can then be formatted as a chart visualization, where your data is plotted against an x-axis that is always a time field. Use the timechart command to display statistical trends over time You can split the data with another field as a separate series in the chart. Timechart visualizations are usually line, area, or column charts.
When you use the
timechart command, the x-axis represents time. The y-axis can be any other field value, count of values, or statistical calculation of a field value.
For more information, see the Data structure requirements for visualizations in the Dashboards and Visualizations manual.
Example 1: This report uses internal Splunk log data to visualize the average indexing thruput (indexing kbps) of Splunk processes over time. The information is separated, or split, by processor:
index=_internal "group=thruput" | timechart avg(instantaneous_eps) by processor
About transforming commands and searches
Create charts that are not (necessarily) time-based
This documentation applies to the following versions of Splunk Cloud™: 7.0.13, 7.2.9, 8.0.2007, 8.1.2008, 7.2.10, 8.0.2006, 8.1.2009, 8.1.2011, 8.1.2012 (latest FedRAMP release), 8.1.2101, 8.1.2103, 8.2.2104