Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

timechart

The timechart command is used to calculate statistics over all events in a given search, grouped by time This command will block the event stream until all events have been received.

Syntax

The timechart command has the following syntax:

  • A list of aggregation functions, that may take an eval expression as an argument; and may have an alias specified with the as keyword to set the name of the resulting field.
    • There must always be at least one aggregation function.
  • An optional by identifier, followed by at exactly one field name. All unique permutations of the values of this field and the binned timestamp will result in a new aggregation group containing a copy of all specified aggregation functions.

Aggregation arguments and the by field can use dot notation to read values from nested objects.

| timechart <aggregation>(<expression>) as <output-name> by <key>

Aggregation Functions

The timechart command uses the same aggregation functions as the stats command, with the additional requirement that each aggregation must output a numeric value. This means aggregations like values are not valid because they output lists instead of numbers.

Example

Count how many events are associated with host over time:

| select systemd
| timechart count by HOSTNAME

Count events grouped by a field inside a nested object over time:

| timechart count by object.group

Chart a calculated value over time:

| timechart sum(bytes_in + bytes_out) as total_bytes by service.name