Splunk Search Command of the Week: timechart

 

STATS commands are some of the most used commands in Splunk for good reason. They make pulling data from your Splunk environment quick and easy to understand. But what if you wanted to take your STATS command one step further and see a time breakdown of that data?

We’ve got you covered. In this quick post, we’ll show you how to use the timechart command in Splunk, which timescales you can use, and the agg clauses that can help you further parse through your data.

STATS Command vs. timechart Command

On the surface it may appear that the timechart works exactly like the STATS command. However, it is important to note that there are a few key differences with timechart:

  • Timechart calculates statistics like STATS, these include functions like count, sum, and average. However, it will bin the events up into buckets of time designated by a time span
  • Timechart will format the results into an x and y chart where time is the x -axis (first column) and our y-axis (remaining columns) will be a specified field

Understanding these differences will prepare you to use the timechart command in Splunk without confusing the use cases.

How To Use timechart in Splunk

Now, let’s take a look at the syntax of a common use of the timechart command.

|timechart span=<time value> agg() by <field>

Splunk Tip: The by clause allows you to split your data, and it is optional for the timechart command.

Span = this will need to be a period of time like hours (1hr), minutes (1min), or days (1d)

Timescale Syntax Example Timescale Syntax
seconds s | sec | secs | second | seconds 5s
minutes m | min | mins | minute | minutes 30m
hours h | hr | hrs | hour | hours 12h
days d | day | days 5d
weeks w | week | weeks 7d
months mon | month | months 3mon

Agg()= this is our statistical function, examples are count(), sum(), and avg()

function Definition
count() Counts the number of entries per timespan.
sum() Finds the total sum per timespan.
avg() Finds the average value per timespan.
min() Finds the minimum value per timespan.
max() Finds the maximum value per timespan.

By using the timechart search command, we can quickly paint a picture of activity over periods of time rather than the total for the entire time range.

New call-to-action

Splunk timechart Examples & Use Cases

Let’s take a look at a couple of timechart examples.

1. Find the number of saved searches run throughout the day.

index=_internal sourcetype="scheduler" search_type=scheduled | timechart span=1hr count
Splunk timechart command example 1
Figure 1 – Saved search statistics using timechart

2. Find the number of successful purchases per day by genre.

Index=tutorial sourcetype=access_combined_wcookie action=purchase status=200 | timechart span=1d count by categoryId
Splunk timechart command example 2
Figure 2 – Breakdown of purchases per day using timechart

3. Find the Total Login Attempts per User.

index=_audit action="login attempt" | timechart span=1hr count by user

The beautiful part about timechart is that it provides us great insights into daily, weekly, or even hourly activity within our environment.  When we start utilizing visualization with the results from timechart, we can easily find spikes, lulls, or other anomalies that need further investigation.

If you found this helpful… 

You don’t have to master Splunk by yourself in order to get the most value out of it. Small, day-to-day optimizations of your environment can make all the difference in how you understand and use the data in your Splunk environment to manage all the work on your plate.

Cue Atlas Assessment 30-day free trial: a customized report to show you where your Splunk environment is excelling and opportunities for improvement. You’ll get your report in just 30 minutes.

New call-to-action