This command creates a time-series representation of data in the form of a table of statistics and a corresponding chart based on the field or fields specified.
You can run this command with:
- Time span in days, minutes, or hours
- Aggregate functions such as count, sum, or average
The starting and ending points to create the chart are defined by the time range used before you run the command. The time span defined as a part of the command acts as a bucketing option to specify the number of buckets into which you want to divide the data to plot a data point.
You can perform advanced analysis by running this command to group data by a field so that each distinct value of the field acts as an additional grouping. For example, you can plot the count of data occurring from a particular host depending on the data-collector names for the time span specified.
This topic contains the following information:
For a list of all search commands, see Search commands.
Related topics
Syntax
timechart span=<duration><timescale> <aggregate-function>+
timechart span=<duration><timescale> <aggregate-function>+ [by <field>]
In the preceding syntax, the following definitions apply:
+indicates one or more similar expressions separated by a comma (,) or space.- [expression] indicatesit is optional.
<duration>refers to an integer value to indicate the time-span bucket.<timescale>refers to a time scale such as days, hours, or minutes.The following table describes the time scale options that can be used in the command syntax:
Item Syntax Minutes m | min | mins | minute | minutes
Hours h | hr | hrs | hour | hours
Days d | day | days
<aggregate-function>refers to the aggregate function used for creating the chart; for example, count, sum, or average.The following table describes the aggregate functions that can be used in the command syntax:
Function Syntax Description Count count (<field>)
Uses field name as an argument and returns the number of occurrences of that field in the search results. Sum sum (<field>)
Uses field name as an argument and returns the sum of values of that field in the search results. Average avg (<field>)
Uses field name as an argument and returns the average of values of that field in the search results. Minimum min (<field>)
Uses field name as an argument and returns the smallest value of that field. Maximum max (<field>)
Uses field name as an argument and returns the highest value of that field. where, <field>can be a field name or a tag nameby <field>refers to the groupbyparameter optionally used in conjunction with the aggregate functions to group the result set by the specified field.
Short examples
Example 1: Display a table of statistics (and a multiseries chart) displaying an aggregation of the distinct HOST field values against each day.
... | timechart span=1d count(HOST) by HOSTExample 2: Display a table of statistics (and a multiseries chart) displaying an aggregation of the RequestType field values that occurred in the span of 1 hour.
... | timechart span=1hr count(RequestType)
Example 3: Display a table of statistics (and a multiseries chart) displaying an aggregation of the RequestType field values that occurred in the span of 1 hour and grouped by the ClientIp field.
... | timechart span=1hr count(RequestType) by ClientIpExample 4: Display a table of statistics (and a multiseries chart) displaying an aggregation of the RequestType field values that occurred in the span of 1 hour, plus a sum and average of the ResponseSize field values.
... | timechart span=1hr count(RequestType), sum(ResponseSize), avg(ResponseSize)Example 5: Display a table of statistics (and a multiseries chart) displaying an aggregation of the RequestType field values that occurred in the span of 1 hour, plus the sum and average of the ResponseSize field values, grouped by the ClientIP field.
... | timechart span=1hr count(RequestType), sum(ResponseSize), avg(ResponseSize)
by ClientIp
Example 6: Display the minimum (smallest), maximum (highest), and average of the ResponseSize field values, grouped by the ClientIp field.
... | timechart span=1h min(ResponseSize), max(ResponseSize), avg(ResponseSize)
by ClientIpLong examples
The following sample data and sample indexed data (displayed on the Search tab) will help you understand the examples of using the timechart command.
Sample data
10.1.1.140 - - [11/Jul/2013:15:01:52 -0700] "GET /themes/ComBeta/images/bullet.png |
10.1.1.140 - - [11/Jul/2013:15:02:52 -0700] "GET /themes/ComBeta/images/bullet.png |
10.1.1.141 - - [11/Jul/2013:15:03:52 -0700] "PUT /themes/ComBeta/images/bullet.png |
10.1.1.141 - - [11/Jul/2013:15:04:52 -0700] "POST /themes/ComBeta/images/bullet.png |
Sample indexed data
10.1.1.141 - - [11/Jul/2013:15:04:52 -0700] "POST /themes/ComBeta/images/bullet.png HOST=local.bmc.com |ResponseSize=100|COLLECTOR_NAME=u4 |ClientIp=10.1.1.141 |ResponseCode=200 |RequestType=POST|RequestURL=/themes/ComBeta/images/bullet.png |
10.1.1.141 - - [11/Jul/2013:15:03:52 -0700] "PUT /themes/ComBeta/images/bullet.png HOST=local.bmc.com |ResponseSize=200|COLLECTOR_NAME=u4 |ClientIp=10.1.1.141 |ResponseCode=201 |RequestType=PUT|RequestURL=/themes/ComBeta/images/bullet.png |
10.1.1.140 - - [11/Jul/2013:15:02:52 -0700] "GET /themes/ComBeta/images/bullet.png HOST=local.bmc.com |ResponseSize=150|COLLECTOR_NAME=u4 |ClientIp=10.1.1.140 |ResponseCode=201 |RequestType=GET|RequestURL=/themes/ComBeta/images/bullet.png |
10.1.1.140 - - [11/Jul/2013:15:01:52 -0700] "GET /themes/ComBeta/images/bullet.png HOST=local.bmc.com |ResponseSize=100|COLLECTOR_NAME=u4 |ClientIp=10.1.1.140 |ResponseCode=404 |RequestType=GET|RequestURL=/themes/ComBeta/images/bullet.png |
count
In this example, you use the command to see a table of statistics (and a multiseries chart) displaying an aggregation of the RequestType field values that occurred in the span of 1 hour.
Command
... | timechart span=1hr count(RequestType)
Output
| Timestamp | count(RequestType) |
|---|---|
| Jul 11 2013 03:00 PM | 9 |
count with by parameter
In this example, you use the command to see a table of statistics (and a multiseries chart) displaying an aggregation of the RequestType field values that occurred in the span of 1 hour and grouped by the ClientIp field.
Command
... | timechart span=1hr count(RequestType) by ClientIp
Output
| Timestamp | 10.1.1.140:count (RequestType) | 10.1.1.141:count (RequestType) | 10.1.1.142:count (RequestType) | 10.1.1.143:count (RequestType) |
|---|---|---|---|---|
| Jul 11 2013 03:00 PM | 1 | 1 | 1 | 1 |
| Jul 11 2013 04:00 PM | 0 | 0 | 0 | 0 |
count, sum, and avg
In this example, you use the command to see a table of statistics (and a multiseries chart) displaying an aggregation of the RequestType field values that occurred in the span of 1 hour, plus a sum and average of the ResponseSize field values.
Command
... | timechart span=1hr count(RequestType), sum(ResponseSize), avg(ResponseSize)
Output
| Timestamp | count (RequestType) | sum (ResponseSize) | avg (ResponseSize) |
|---|---|---|---|
| Jul 11 2013 03:00 PM | 0 | 0 | 0 |
| Jul 11 2013 04:00 PM | 4 | 550 | 137.5 |
count, sum, and avg with by parameter
In this example, you use the command to see a table of statistics (and a multiseries chart) displaying an aggregation of the RequestType field values that occurred in the span of 1 hour, plus the sum and average of the ResponseSize field values, grouped by the ClientIP field.
Command
... | timechart span=1hr count(RequestType), sum(ResponseSize), avg(ResponseSize)
by ClientIp
Output
Timestamp | 10.1.1.141 :count (Request Type) | 10.1.1.141 :sum (Response Size) | 10.1.1.141 :avg (Response Size) | 10.1.1.140 :count (Request Type) | 10.1.1.140 :sum (Response Size) | 10.1.1.140 :avg (Response Size) |
|---|---|---|---|---|---|---|
| Jul 11 2013 12:00 AM | 2 | 300 | 150 | 2 | 250 | 125 |
min
In this example, you use the command to display the minimum value (smallest value) of the ResponseSize field.
Command
... | timechart span=1hr min(ResponseSize)
Output
Timestamp | Min (Response Size) |
|---|---|
| Jul 11 2013 12:00 AM | 100 |
max
In this example, you use the command to display the maximum value (highest value) of the ResponseSize field.
Command
... | timechart span=1h max(ResponseSize)
Output
Timestamp | Max (Response Size) |
|---|---|
| Jul 11 2013 3:00 PM | 200 |
min with by parameter
In this example, you use the command to display the minimum value (smallest value) of the ResponseSize field, grouped by the ClientIp field. By running this command, you can understand the hosts from where minimum values are derived.
Command
... | timechart span=1hr min(ResponseSize) by ClientIp
Output
Timestamp | 10.1.1.140:min (Response Size) | 10.1.1.141:min | 10.1.1.142:min | 10.1.1.143:min |
|---|---|---|---|---|
| Jul 11 2013 3:00 PM | 100 | 150 | 200 | 100 |
| Jul 11 2013 4:00 PM | 0 | 0 | 0 | 0 |
min, max, and avg
In this example, you use the command to display the minimum (smallest), maximum (highest), and average of the ResponseSize field values.
Command
... | timechart span=1h min(ResponseSize), max(ResponseSize), avg(ResponseSize)
Output
Timestamp | min(Response Size) | max(Response | avg(Response |
|---|---|---|---|
| Jul 11 2013 3:00 PM | 100 | 200 | 137.500 |
Notes
- If the data contains an event with no time stamp, the product assigns a time stamp to that event at the time of indexing. The same time stamp is used for displaying the time bucket when you run this command.
- You cannot run this command to display more than 100 buckets.
- While using the
sumandavgfunctions in your search syntax, the following conventions apply:- If the
timechartcommand is the first command after the initial search query, the fields specified in thesumandavgfunctions must be of the field type INTEGER or LONG.
The field type can be specified while creating a data pattern. - If the
timechartcommand is preceded by another search command, the fields specified in thesumandavgfunctions must be numbers.
- If the
Overview
Content Tools
Apps
Reporter Replacement
com.bmc.atlassian.bmc-util-plugin-2.section.label
Tasks