Overview of Timechart Usage in Splunk

Posted by David Veuve - 2011-07-27 10:51:04
Timechart is one of the most essential functions in Splunk. Unfortunately for those starting out, getting access to its many wonders is a bit hard to do. The official documentation (timechart, functions available to timechart) �is great once you've got your feet firmly in the water -- this blog post (and the links at the bottom) are for people who are warily eyeing the water from the shore. Syntax Intro

Timechart is used to summarize data via some statistical functions, split by time. You can increase this in levels of complexity, as well:

One value over time:

index=_internal source=*metrics.log splunk_server="*" group="per_index_thruput" earliest=-7d@d latest=@d

     | eval MB=kb/1024

     | timechart span=1d sum(MB) as "Megabytes indexed"

Two values over time:

index=_internal source=*metrics.log splunk_server="*" group="per_index_thruput" earliest=-7d@d latest=@d

     | eval MB=kb/1024

     | timechart span=1d sum(MB) as "Megabytes indexed", sum(ev) as "Number of events"

One statistic, split by a number of sources, over time:

index=_internal source=*metrics.log splunk_server="*" group="per_index_thruput" earliest=-7d@d latest=@d

     | eval MB=kb/1024

     | timechart span=1d sum(MB) as "Megabytes indexed" by series

Got the basics? Then check out: