timechart
timechart
TimechartCreate a time series visualization by aggregating data into time buckets with flexible grouping.
| timechart [span=interval] [timeCol=field] [maxGroups=N] [agg(field) [as alias], ...] [by groupField1, ...] | timechart span=5m count() as total by serviceThe timechart command creates a time series visualization by aggregating data into time buckets. It supports multiple aggregation functions, grouping, and several parameters for customizing the time axis and grouping behavior.
Parameters
Section titled “Parameters”span=interval: (Optional) Bucket size for the time axis (e.g.,1m,5m,1h). See Span Format below.timeCol=field: (Optional) The field to use as the time axis (default is usuallytimestamp).maxGroups=N: (Optional) Maximum number of groups to display (limits cardinality).agg(field) [as alias]: Aggregation function (e.g.,count(),sum(field),avg(field)) optionally renamed withas.by groupField1, ...: (Optional) Group results by one or more fields.
Span Format
Section titled “Span Format”The span value is a number followed by a time unit suffix:
| Suffix | Unit | Example |
|---|---|---|
s | Seconds | 30s |
m | Minutes | 5m, 15m |
h | Hours | 1h, 6h |
d | Days | 1d, 7d |
Examples: span=30s, span=5m, span=1h, span=7d.
When span is omitted, the bucket size is chosen automatically based on the selected time range.
- Use
timechartto visualize trends over time, with flexible grouping and aggregation. - Supports multiple aggregations, grouping, and time axis customization.
- All parameters are optional except for at least one aggregation.
Example
Section titled “Example”| timechart span=5m timeCol=event_time maxGroups=10 count() as total, avg(duration) as avg_duration by statusThis creates a time series of event counts and average duration per status in 5-minute intervals, using event_time as the time axis, and limits to 10 groups.
See Also
Section titled “See Also”stats— tabular aggregation (alternative to timechart for non-time-series summaries)