Using timechart to show values over time

Timechart lets us show numerical values over time. It is similar to the chart command, except that time is always plotted on the x axis. Here are a couple of things to note:

• The events must have a _time field. If you are simply sending the results of a search to the timechart, this will always be true. If you are using interim commands, you will need to be mindful of this requirement.
• Time is always bucketed, meaning that there is no way to draw a point per event.

Let's see how many errors have been occurring:

sourcetype="tm1*" error | timechart count

The default chart will look something like this:

Now let's see how many errors have occurred per weekday over the same time period.

We simply need to add by user to the query:

sourcetype="tm1*" error | timechart count by date_wday

This produces the following chart:

As we stated earlier, the x axis is always time. The y axis can be:

• One or more functions
• A single function with a by clause
• Multiple functions with a by clause (a new feature in Splunk 4.3). An example of a timechart with multiple functions might be as follows:

  sourcetype="tm1*" error | timechart count as "Error Count" count(sourcetype) as "Source Count"

This would produce a graph like this:

Timechart options

Timechart has many arguments and formatting options. We'll touch upon a few examples of formatting, but they are too numerous to cover in detail. We will use other chart types in later chapters. Let's throw a few options in (to a simple search) and see what they do.

sourcetype="*" GET | timechart bins=100 limit=3 useother=false usenull=false count as "Error count" by user

Let's step through each of these arguments:

• sourcetype="*" GET is our search query
• bins defines how many bins to slice time into. The number of bins will probably not be exactly 100 as the time will be sliced into logical units. In our example, this comes to 10 minutes per bin. To be more exact, you can use span (for example, span=1h) for hourly slices, but note that if your span value creates too many time slices, the chart will be truncated.
• limit changes the number of series returned. The series with the largest values are returned, much like in top. In this case, the most common values of a user will be returned.
• useother instructs timechart whether to group all series beyond the limit into an other bucket. The default value is true.
• usenull instructs timechart whether to bucket, into the group NULL, events that do not have a value for the fields in the by clause. The default value is true.

This combination of arguments produces a graph similar to this:

As mentioned earlier in the section Using chart to turn data, Splunk offers us a variety of Formatting options for our visualizations. Clicking on the drop-down selector on the Visualization tab in the following graph gives us quite a few options to work with.

The preceding graph shows a common chart style, the stacked column. This graph is useful for showing how many events of a certain kind occurred, but with colors to give us an idea of the distribution. Some great examples of all of the available chart styles are available at http://www.splunk.com/, and we will touch upon more styles in later chapters.