Timechart is one of the most essential functions in Splunk. Unfortunately for those starting out, getting access to its many wonders is a bit hard to do. The official documentation (timechart, functions available to timechart) �is great once you've got your feet firmly in the water
-- this blog post (and the links at the bottom) are for people who are warily eyeing the water from the shore.
Syntax Intro
Timechart is used to summarize data via some statistical functions, split by time. You can increase this in levels of complexity, as well:
One value over time:
index=_internal source=*metrics.log splunk_server="*" group="per_index_thruput" earliest=-7d@d latest=@d
| eval MB=kb/1024
| timechart span=1d sum(MB) as "Megabytes indexed"
Two values over time:
index=_internal source=*metrics.log splunk_server="*" group="per_index_thruput" earliest=-7d@d latest=@d
| eval MB=kb/1024
| timechart span=1d sum(MB) as "Megabytes indexed", sum(ev) as "Number of events"
One statistic, split by a number of sources, over time:
index=_internal source=*metrics.log splunk_server="*" group="per_index_thruput" earliest=-7d@d latest=@d
| eval MB=kb/1024
| timechart span=1d sum(MB) as "Megabytes indexed" by series
Got the basics? Then check out:
- Basic Syntax
- Advanced Statistics
- Analyzing Trends (Comparing Summarized Hours, Days, or Etc.)
- Using Eval Within Timechart (or how to make your searches 20 times more performant)
- Timechart versus Stats