Using Transforming Commands: Timechart
What is a Transforming Command?
A transforming command takes the results of a Splunk search and transforms those specified results into tables representing statistics or chart visualizations (ex. pie, column).
Some transforming commands that you may use are timechart, stats, rare, top, and chart.
In this article, we will focus on how to use the timechart and chart command.
If you would like more information, check out Splunk’s documentation: Types of Commands.
Using Timechart
The timechart command not only returns a table of statistical results but also generates a time chart visualization with the x-axis represented by _time.
For this example, we are working with a sample dataset given to us in Splunk. Find your sample datasets in Apps > Search & Reporting > Datasets.
In our command, we used a single aggregation function called span to perform a calculation on our data.
Span will allow us to break up our data in chunks of time.
In Visualization, we can see we have placed our events into columns every 2 hours.
To change the chart type, click Column Chart.
There are several other commonly used single aggregation functions, such as sum, avg, min, and max.
For more information on Timechart, see Splunk’s documentation: timechart command usage.
领英推荐
Example:
| timechart <stats-func> (<field>)
Put this into Splunk search:
| from datamodel:"internal_server.server"
| timechart span=2h count
Using Timechart with Multiple Values
Let’s get a little more complex. By implementing the by clause, we can break down our data further.
So, now we are breaking down events in 2-hour intervals and using count to calculate by the sourcetype.
If you have a hard time remembering, just remember x by y.
| from datamodel:"internal_server.server"
| timechart span=2h count by sourcetype
Formatting Timechart
Under Format, we can make all sorts of changes. By default, we have Multi-series Mode turned to No.
If we change Multi-series Mode to Yes, it will give each field value (remember, we defined the field using the by clause) a y-axis.
To summarize this short introduction to timechart, we explored how to use timechart to create visualizations. We also learned how to use a single aggregation function with timechart. Feel free to like and share!