Author


Rajesh Kumar

DevOps@RajeshKumar.xyz

Support my work @Patron!

Contents

in Progress
in Progress
in Progress

Timechart: Splunk Commands Tutorials & Reference

Commands Category: Reports

Commands: timechart

Use: Creates a time series chart with corresponding table of statistics. A timechart is a statistical aggregation applied to a field to produce a chart, with time used as the X-axis. You can specify a split-by field, where each distinct value of the split-by field becomes a series in the chart. If you use an eval expression, the split-by clause is required. With the limit and agg options, you can specify series filtering. These options are ignored if you specify an explicit where-clause. If you set limit=0, no series filtering occurs.

Example from homeworkdataset.csv

host=homework backupduration=* domain=* | timechart avg(backupduration) by domain

Example from homeworkdataset.csv

sourcetype=WinEventLog:Security EventCode=4625 user=*
sourcetype=WinEventLog:Security EventCode=4625 user=* | timechart span=1h count(EventCode) by user
sourcetype=WinEventLog:Security EventCode=4625 user=* | stats count(EventCode) by user
sourcetype=WinEventLog:Security EventCode=4625 user=* | stats count(EventCode) by user _time | table _time user count(EventCode) | sort -_time

Example from homeworkdataset.csv

host=homework usr=*

host=homework usr=* | table _time usr

host=homework usr=* | eval timestamp=strftime(_time, "%I:%M")
| table timestamp usr

host=homework usr=* | eval timestamp=strftime(_time, "%I:%M %p")
| table timestamp usr

host=homework usr=* | eval timestamp=strftime(_time, "%d %B %I:%M %p")
| table timestamp usr

Example from homeworkdataset.csv

sourcetype=WinEventLog:Security EventCode=4625 user=*
sourcetype=WinEventLog:Security EventCode=4625 user=* | timechart span=1h count(EventCode) by user
sourcetype=WinEventLog:Security EventCode=4625 user=* | stats count(EventCode) by user
sourcetype=WinEventLog:Security EventCode=4625 user=* | stats count(EventCode) by user _time | table _time user count(EventCode) | sort -_time

Create a timechart from a single field that should be summed up

... | table _time,  | timechart span=1d sum()
... | table _time, , name | timechart span=1d sum() by name

Avail Rajesh Kumar as trainer at 50% Discount
Puppet Online Training
Puppet Classroom TrainingEnroll Now