STATS commands are some of the most used commands in Splunk for good reason. They make pulling data from your Splunk environment quick and easy to understand. But what if you wanted to take your STATS command one step further and see a time breakdown of that data?
We’ve got you covered. In this quick post, we’ll show you how to use the timechart command in Splunk, which timescales you can use, and the agg clauses that can help you further parse through your data.
STATS Command vs. timechart Command
On the surface it may appear that the timechart works exactly like the STATS command. However, it is important to note that there are a few key differences with timechart:
- Timechart calculates statistics like STATS, these include functions like count, sum, and average. However, it will bin the events up into buckets of time designated by a time span
- Timechart will format the results into an x and y chart where time is the x -axis (first column) and our y-axis (remaining columns) will be a specified field
Understanding these differences will prepare you to use the timechart command in Splunk without confusing the use cases.
How To Use timechart in Splunk
Now, let’s take a look at the syntax of a common use of the timechart command.
|timechart span=<time value> agg() by <field>
Splunk Tip: The by clause allows you to split your data, and it is optional for the timechart command.
Span = this will need to be a period of time like hours (1hr), minutes (1min), or days (1d)
| Timescale | Syntax | Example Timescale Syntax |
| seconds | s | sec | secs | second | seconds | 5s |
| minutes | m | min | mins | minute | minutes | 30m |
| hours | h | hr | hrs | hour | hours | 12h |
| days | d | day | days | 5d |
| weeks | w | week | weeks | 7d |
| months | mon | month | months | 3mon |
Agg()= this is our statistical function, examples are count(), sum(), and avg()
| function | Definition |
| count() | Counts the number of entries per timespan. |
| sum() | Finds the total sum per timespan. |
| avg() | Finds the average value per timespan. |
| min() | Finds the minimum value per timespan. |
| max() | Finds the maximum value per timespan. |
By using the timechart search command, we can quickly paint a picture of activity over periods of time rather than the total for the entire time range.
Splunk Pro Tip: There’s a super simple way to run searches simply—even with limited knowledge of SPL— using Search Library in the Atlas app on Splunkbase. You’ll get access to thousands of pre-configured Splunk searches developed by Splunk Experts across the globe. Simply find a search string that matches what you’re looking for, copy it, and use right in your own Splunk environment. Try speeding up your timechart command right now using these SPL templates, completely free.
Run a pre-Configured Search for Free
Splunk timechart Examples & Use Cases
Let’s take a look at a couple of timechart examples.
1. Find the number of saved searches run throughout the day.
index=_internal sourcetype="scheduler" search_type=scheduled | timechart span=1hr count
2. Find the number of successful purchases per day by genre.
Index=tutorial sourcetype=access_combined_wcookie action=purchase status=200 | timechart span=1d count by categoryId
3. Find the Total Login Attempts per User.
index=_audit action="login attempt" | timechart span=1hr count by user
The beautiful part about timechart is that it provides us great insights into daily, weekly, or even hourly activity within our environment. When we start utilizing visualization with the results from timechart, we can easily find spikes, lulls, or other anomalies that need further investigation.
If you found this helpful…
You don’t have to master Splunk by yourself in order to get the most value out of it. Small, day-to-day optimizations of your environment can make all the difference in how you understand and use the data in your Splunk environment to manage all the work on your plate.
Cue Atlas Assessment 30-day free trial: a customized report to show you where your Splunk environment is excelling and opportunities for improvement. You’ll get your report in just 30 minutes.
