# Splunk Timechart

Rating: 4.8
23468

## What is a Splunk Timechart?

The usage of the Splunk time chart command is specifically to generate the summary statistics table. This table which is generated out of the command execution can then be formatted in a manner that is well suited for the requirement – chart visualization for example. In the charts when we try to visualize, the data obtained is plotted against time (that is limited to the X-axis by default) and then the parameter that you choose for the Y-axis. The time chart is a statistical aggregation of a specific field with time on the X-axis. Hence the chart visualizations that you may end up with are always line charts, area charts, or column charts.

Please take a closer look at the syntax of the time chart command that is provided by the Splunk software itself:

timechart [sep=] [format=] [partial=] [cont=] [limit=] [agg=] [... ] ( ( [BY ] ) | () BY )

 Learn how to use Splunk, from beginner basics to advanced techniques, with online video tutorials taught by industry experts. Enroll for Free "Splunk Training" Demo!

Let us now take a look at the required arguments that you specifically need to pass on to the command without which you might not be able to fetch the details that you intend to. To use either or, is mandatorily required to be provided. Let us take a closer look at each and every possible required argument to the command.

• eval-expression

Syntax: `| | | | `

This can be best described as a combination of literals, fields, operators, and functions that may represent the value of your destination field. For any of these evaluations to evaluate as per your requirement, the values are specifically needed to be valid for the kind of operation that we are going to perform on them. To explain this, if you are trying to perform the addition or multiplication of two variables where the inputs to these are not numeric in nature, this will not provide the result that you expect to be evaluated.

• single-agg

Syntax: `count | ()`

 Related Page: Splunk Streamstats Command

This can be best described as a single aggregation that can be applied to a specific field, including an evaluated field. There is no possibility for wildcards to be used. The field must be specified always but as an exception, when using the count aggregator this can be optionally left over.

• split-by-clause

Syntax: `()... []`

This specifies a field to be split. If the provided field is a numerical field, then the default discretization is applied to it (which is defined by the tc-options). You can optionally use the to specify the required number of columns to be included.

There is a varied range of optional parameters that can be used with timechart command, but we will not be going through each and every one of them to save time. Let us take a look at some of the important but optional parameters in the examples section, so that we can understand the usage of these parameters if not they can be safely skipped.

 Related Article: Splunk Interview Questions

### Splunk Timechart Examples

Let us look at an example with Splunk Timechart

Let us now look at the theory that we have just discussed in the section above in the form of examples and let us understand the nitty-gritty details that we might have missed exploring earlier.

Example 1:

The report uses the internal Splunk log data to analyze and visualize the average indexing throughput (indexing kbps) of Splunk processes over a prolonged duration of time. The information is then split by the processor as such as displayed below:

index=_internal "group=thruput" | timechart avg(instantaneous_eps) by processor

 Related Page: Splunk Logging

Example 2:

This example shows us a chart that provides the multiplication of the average CPU and the average MEM for each of the hosts that is connected. For every 10 minutes, compute the product of the average CPU and average MEM for each host.

…|timechart span=10m eval(avg(CPU) * avg(MEM)) BY host

Example 3:

This example is going to provide you with a chart of the average of cpu_seconds provided by your processor which is then rounded to 4 decimal places as per the syntax provided in the example below.

... | timechart eval(round(avg(cpu_seconds),4)) BY processor

Example 4:

This example is going to take the average value of the CPU utilization for every single minute for every host available and provides a beautiful chart with the representation of the average CPU for each host.

…| timechart span=1m avg(CPU) BY host

Example 5:

This example is going to calculate the average of cpu_seconds by every possible host available and then remove the outlying values that may distort the time-chart axis of the chart generated.

…| timechart avg(cpu_seconds) BY host | outlier action=tf

Example 6:

This example is going to detail the average throughput of all the hosts available over longer durations of time in a nice chart with the average throughput against hosts over time.

…| timechart span=10m avg(thruput) BY host

Example 7:

This example details out the counts of event types that are identified by the source_ip field where the count evaluated are greater than 25 in a chart.

sshd failed OR failure | timechart span=10m count(eventtype) BY source_ip usenull=f WHERE count>25

This article has primarily focused on letting us know the features made available by Splunk software and in an attempt to understand this, we have explored a little in deep on Splunk Timechart. We have also gone through an example on how to use Splunk Timechart and explained its usage

Course Schedule
NameDates
Splunk TrainingSep 21 to Oct 06View Details
Splunk TrainingSep 24 to Oct 09View Details
Splunk TrainingSep 28 to Oct 13View Details
Splunk TrainingOct 01 to Oct 16View Details
Last updated: 03 Apr 2023