| timechart span=1d sum(MB) by series and it will create take each series and create a column name for it. It's appropriate for tossing in a SimpleResultsTable, and then tossing in front of the user.
Stats is more behind the scenes. As a rule, you're going to have more luck doing calculations and the like with stats than you are with timechart, because it will retain the column names you're familiar with.
ConvertingConverting from Timechart to Stats, when you figure out something isn't working right, is easy. The biggest difference is that the timechart combines stats and the bucket command. Moving | timechart span=1d sum(MB) by series to stats would yield | bucket _time span=1d | stats sum(MB) by series, _time.
There are two reasons to convert. The first, is that you don't have a choice. You often can't do back-to-back timecharts, because the fields will be renamed. Take a look at the first example below, and try replacing the first bucket+stats with a timechart, and you'll see what I mean.
The other big reason to convert is that Stats offers much better support for three or more dimensions of analysis. Suppose you wanted to analyze the amount of data being put through the license_usage.log, metrics.log and splunkd_access.log files, and get a few different metrics for each. (Following up on the example from Analyzing Trends.) Compare the output of these two searches:
Timechartindex=_internal source="*metrics.log" group="per_source_thruput" series="*license_usage.log" OR series="*metrics.log" OR series="*splunkd_access.log" earliest=-7d@d latest=@d
| eval MB=kb/1024
| bucket _time span=1h
| stats sum(MB) as MB by series, _time
| timechart span=1d avg(MB) as AvgMB, sum(MB) as SumMB, stdev(MB) as StDevMB by series
Stats
index=_internal source="*metrics.log" group="per_source_thruput" series="*license_usage.log" OR series="*metrics.log" OR series="*splunkd_access.log" earliest=-7d@d latest=@d
| eval MB=kb/1024
| bucket _time span=1h
| stats sum(MB) as MB by series, _time
| bucket _time span=1d
| stats avg(MB) as AvgMB, sum(MB) as SumMB, stdev(MB) as StDevMB by series, _time
Where this really becomes even more useful is when you're building a dashboard. If I wanted to graph the license usage for each of those files, in three different graphs, I could have my main search be this:
index=_internal source="*metrics.log" group="per_source_thruput" series="*license_usage.log" OR series="*metrics.log" OR series="*splunkd_access.log" earliest=-7d@d latest=@d
| eval MB=kb/1024
| bucket _time span=1h
| stats sum(MB) as MB by series, _time
| bucket _time span=1d
| stats avg(MB) as AvgMB, sum(MB) as SumMB, stdev(MB) as StDevMB by series, _time
And then put a postprocess for each graph:
| search series="*metrics.log"
| bucket _time span=1d
| stats avg(MB) as AvgMB, sum(MB) as SumMB, stdev(MB) as StDevMB by _time
This way, you only have to do one search looking at the data, and you can do the rest of the processing in memory, improving the speed of your dashboards.
Ready for more? Check out:
- Basic Syntax
- Advanced Statistics
- Analyzing Trends (Comparing Summarized Hours, Days, or Etc.)
- Using Eval Within Timechart (or how to make your searches 20 times more performant)
- Timechart versus Stats