index=_internal source=*metrics.log splunk_server="*" group="per_index_thruput" earliest=-7d@d latest=@d
| eval MB=kb/1024
| timechart span=1h sum(MB) as HourlySumMB
| timechart span=1d avg(HourlySumMB) as "Hourly Average", max(HourlySumMB) as "Max in an Hour", min(HourlySumMB) as "Min in an Hour", stdev(HourlySumMB) as "Standard Deviation of Hourly Average"
In practice, though, you're not usually going to want to use two back-to-back timecharts. You'll have more flexibility if you use timechart at the end, and switch earlier commands to stats, due to timechart's renaming of fields. Get a lot more detail on that (and an extension of our example here) at Timechart Versus Stats.
Ready for more? Check out: