timechart
The timechart command is used to calculate statistics over all events in a given search, grouped by time
This command will block the event stream until all events have been received.
Syntax
The timechart command has the following syntax:
- A list of aggregation functions, that may take a field name as an argument; and may have an alias specified with the
askeyword to set the name of the resulting field.- There must always be at least one aggregation function.
- An optional
byidentifier, followed by at exactly one field name. All unique permutations of the values of this field and the binned timestamp will result in a new aggregation group containing a copy of all specified aggregation functions.
| timechart <aggregation>(<field>) as <output-name> by <key>
Aggregation Functions
The timechart command uses the same aggregation functions as the stats command; with the additional requirement that they must output a numeric value.
This means that aggregations like values are not valid as they do not output numeric values.
List of available aggregation functions:
Takes a field name argument
sum- Sums the numeric values in the given field.avg- Calculates the average numeric value of the given field.min- Finds the smallest value in the given field.max- Finds the largest value in the given field.unique- Counts the number of unique values in the given field.
No field name argument
count- Increments a counter for each aggregation group.
Example
Count how many events are associated with host over time:
| select systemd
| timechart count by HOSTNAME