timecluster
Use this command to group the timeseries charts together based on how similar they are to one another.
Syntax
timecluster [<timecluster_options>] <stats_function> (<field_name>) [as new_field_name] [, <stats_function> (<field_name>) [as new_field_name]]* by <field_name> [, <field_name>]*Parameters
The following table lists the parameters used with this command, along with their descriptions.
| Parameter | Description |
|---|---|
|
|
Use this parameter to specify how the data should be bucketed.
Permitted values for this parameter must follow the format |
|
|
Use this parameter to set the size of each bucket, using a span
length based on time. Permitted values for this parameter must follow the format
Use the Syntax for
|
|
|
Field must have a timestamp value. If not specified |
|
|
Reduce the number of aggregated values to return for a function. |
|
|
Name to display for the chart. |
You can use the functions that are associated with the
stats command with the timecluster command too. For
details about the functions and the examples of using the functions with the command, see
stats.
For example of using this command in typical scenarios, see:
The following query clusters the timeseries pattern by entity.
* | link Entity, Severity | stats sum('Content Size') as 'Content Size' | timecluster avg('Content Size') by EntityThe following query clusters the timeseries patterns by entity only for fatal logs.
* | link Entity, Severity | stats sum('Content Size') as 'Content Size' | addfields [ * | where Severity = fatal | timecluster avg('Content Size') by Entity ]