Splunk Search Command of the Week: timechart

 

Think all the way back to the Splunk Search Command of the Week:  STATS command. With STATS, you can use Splunk to provide statistical information about your data. What if you wanted to take it one step further… and see a time breakdown of that data?

On the surface it may appear that this week’s Search Command, timechart, works exactly like the STATS command. However, it is important to note that there are a few key differences with timechart:

  • Timechart calculates statistics like STATS, these would be functions like count, sum, and average. However, it will bin the events up into buckets of time designated by a time span
  • Timechart will format the results into an x and y chart where time is the x -axis (first column) and our y-axis (remaining columns) will be a specified field

How To Use timechart

Now that we have knocked that out of the way, let’s take a look at the syntax at a common use of the timechart command….

|timechart span=<time value> agg() by <field>

Span = this will need to be a period of time like hours (1hr), minutes (1min), or days (1d)

Agg()= this is our statistical function, examples are count(), sum(), and avg()

By using the timechart search command, we can quickly paint a picture of activity over periods of time rather than the total for the entire time range.

timechart Use Cases

Let’s take a look at a couple of timechart use cases…

1. Number of saved searches run throughout the day

index=_internal sourcetype="scheduler" search_type=scheduled | timechart span=1hr count
Figure 1 - Saved searches run throughout the day using timechart
Figure 1 – Saved search statistics using timechart

2. Number of successful purchases per day by genre

Index=tutorial sourcetype=access_combined_wcookie action=purchase status=200 | timechart span=1d count by categoryId

 

Figure 2 - Number of successful purchases per day by genre using timechart
Figure 2 – Breakdown of purchases per day using timechart

3. Login Attempts per User

index=_audit action="login attempt" | timechart span=1hr count by user

 

The beautiful part about timechart is that it provides us great insights into daily, weekly, or even hourly activity within our environment.  When we start utilizing visualization with the results from timechart, we can easily find spikes, lulls, or other anomalies that need further investigation.

Ask the Experts

Our Splunk Search Command of the Week series is created by our Expertise on Demand (EOD) experts. Every day, our team of Splunk certified professionals works with customers through Splunk troubleshooting support, including Splunk search command best practice. If you’re interested in learning more about our EOD service or chat with our team of experts, fill out the form below!