Splunk timechart

  • (5.0)

What is a Splunk Timechart?

The usage of Splunk’s timechart command is specifically to generate the summary statistics table. This table that is generated out of the command execution, can then be formatted in the manner that is well suited for the requirement – chart visualization for example. The charts when we try to visualize, the data obtained is plotted against time (that is limited to the X-axis by default) and then the parameter that you choose for the Y-axis. The timechart is a statistical aggregation of a specific field with time on X-axis. Hence the chart visualizations that you may end up with are always line charts, area charts or column charts.

Please take a closer look at the syntax of timechart command that is provided by the Splunk software itself:

timechart [sep=] [format=] [partial=] [cont=] [limit=] [agg=] [... ] ( ( [BY ] ) | () BY )

Learn how to use Splunk, from beginner basics to advanced techniques, with online video tutorials taught by industry experts. Enroll for Free Splunk Training Demo!

Let us now take a look at the required arguments that you specifically need to pass on to the command without which you might not be able to fetch the details that you intend to. To use either or , is mandatorily required to be provided. Let us take a closer look at each and every possible required argument to the command.

  • eval-expression

Syntax: | | | |

This can be best described as a combination of literals, fields, operators, and functions that may represent the value of your destination field. For any of these evaluations to evaluate as per your requirement, the values are specifically needed to be valid for the kind of operation that we are going to perform on them. To explain this, if you are trying to perform addition or multiplication of two variables where the inputs to these are not numeric in nature, this will not provide the result that you expect to be evaluated.

  • single-agg

Syntax: count | ()

Related Page: Splunk Streamstats Command

This can be best described as a single aggregation that can be applied to a specific field, including an evaluated field. There is no possibility for wildcards to be used. The field must be specified always but as an exception, when using the count aggregator this can be optionally left over.

  • split-by-clause

Syntax: ()... []

This specifies a field to be split. If the provided field is a numerical field, then the default discretization is applied to it (which is defined by the tc-options). You can optionally use the to specify the required number of columns to be included.

There are a varied range of optional parameters that can be used with timechart command, but we will not be going through each and every one of them to save time. Let us take a look at some of the important but optional parameters in the examples section, so that we can understand the usage of these parameters if not they can be safely skipped.

Frequently Asked Splunk Interview Questions & Answers

Let us look at an example with Splunk Timechart

Let us now look at the theory that we have just discussed in the section above in the form of examples and let us understand the nitty gritty details that we might have missed exploring earlier.

  • Example 1:

The report uses the internal Splunk log data to analyze and visualize the average indexing throughput (indexing kbps) of Splunk processes over a prolonged duration of time. The information is then split by the processor as such as displayed below:

index=_internal "group=thruput" | timechart avg(instantaneous_eps) by processor

Related Page: Splunk Logging

  • Example 2:

This example shows us a chart that provides the multiplication of the average CPU and the average MEM for each of the host that is connected. For every 10 minutes, compute the product of the average CPU and average MEM for each host.

…|timechart span=10m eval(avg(CPU) * avg(MEM)) BY host

  • Example 3:

This example is going to provide you with a chart of the average of cpu_seconds provided by your processor which is then rounded to 4 decimal places as per the syntax provided in the example below.

... | timechart eval(round(avg(cpu_seconds),4)) BY processor

  • Example 4:

This example is going to take the average value of the CPU utilization for each single minute for every host available and provides a beautiful chart with the representation of average CPU for each host.

…| timechart span=1m avg(CPU) BY host

  • Example 5:

This example is going to calculate the average of cpu_seconds by every possible host available and then removes the outlying values that may distort the time-chart axis of the chart generated.

…| timechart avg(cpu_seconds) BY host | outlier action=tf

  • Example 6:

This example is going to detail out on the average throughput of all the hosts available over longer durations of time in a nice chart with average of throughput against hosts over time.

…| timechart span=10m avg(thruput) BY host

  • Example 7:

This example details out the counts of event types that are identified by source_ip field where the count evaluated is greater than 25 in a chart.

sshd failed OR failure | timechart span=10m count(eventtype) BY source_ip usenull=f WHERE count>25
Explore Splunk Sample Resumes! Download & Edit, Get Noticed by Top Employers!Download Now!

This article has primarily focused on letting us know the features made available by Splunk software and in an attempt to understand this, we have explored a little in deep on Splunk Timechart. We have also gone through an example on how to use Splunk Timechart and explained its usage

Popular Courses in 2018

Get Updates on Tech posts, Interview & Certification questions and training schedules