Version: 5.0

timechart

Description

Performs search and generates an array of data distributed along a timeline.

timechart [<timefield>] [<limit>] [<span>] [<bins>] [<useother>] <functions-expression> ["," <functions-expression>] [<by_expression>]

functions-expression You must use at least one of the following functions:

Parameter	Syntax	Description
`count`	`count \| count(<field>)`	Computes the count of events containing a field. If no field is specified, calculates the total number of events.
`avg`	`avg(<field>)`	Computes the average value for a given field.
`dc`	`dc(<field>)`	Computes the number of unique values in a given field.
`max`	`max(<field>)`	Computes the maximum value for a given field.
`min`	`min(<field>)`	Computes the minimum value for a given field.
`sum`	`sum(<field>)`	Computes the sum of the values in a given field.

Parameter	Syntax	Default	Description
`span`	`span=<span>`	see predefined `span` values	Defines the interval for segment distribution.
`timefield`	`timefield=<field>`	`@timestamp`	The field name where the timestamp is stored.
`bins`	`bins=<int>`	`100`	The maximum number of segments for computation.
`limit`	`limit=<int>`	`10`	The maximum number of unique `by_field` values that can be used in the column names of the result. Remaining values will be merged into the `OTHER` field.
`useother`	`useother=<boolean>`	`true`	If set to `false`, the `limit` parameter is ignored.
`by_expression`	`by <field>`		The field name for grouping values.

The following time formats are allowed: (+|-)<int>(s|m|h|d|w|month):

Predefined span values

If the span parameter is not specified for the time field, predefined parameters will apply.

Here's the list of predefined parameters:

Example 1:

Example #1
... | timechart limit=5 span=1h avg(msgNums) by user

Example 2:

Example #2
... | timechart limit=5 span=1d avg(log.offset) by 'source'

Example 3:

Example #3
... | timechart span=1d count(log.offset), max(log.offset) by event