timechart

The timechart command is used to calculate statistics over all events in a given search, grouped by time This command will block the event stream until all events have been received.

Syntax

The timechart command has the following syntax:

A list of aggregation functions, that may take a field name as an argument; and may have an alias specified with the as keyword to set the name of the resulting field.
- There must always be at least one aggregation function.
An optional by identifier, followed by at exactly one field name. All unique permutations of the values of this field and the binned timestamp will result in a new aggregation group containing a copy of all specified aggregation functions.

| timechart <aggregation>(<field>) as <output-name> by <key>

The timechart command uses the same aggregation functions as the stats command; with the additional requirement that they must output a numeric value. This means that aggregations like values are not valid as they do not output numeric values. List of available aggregation functions:

Takes a field name argument

sum - Sums the numeric values in the given field.
avg - Calculates the average numeric value of the given field.
min - Finds the smallest value in the given field.
max - Finds the largest value in the given field.
unique - Counts the number of unique values in the given field.

No field name argument

count - Increments a counter for each aggregation group.

Example

Count how many events are associated with host over time:

| select systemd
| timechart count by HOSTNAME

timechart

Syntax

Aggregation Functions

Takes a field name argument

No field name argument

Example