timestats
Use this command to generate data for displaying statistical trends over time, optionally grouped by field.
Topics:
Syntax
timestats [<timestats_options>] <stats_function / timestats_function> "("<field_name>")" [as new_field_name] [, <stats_function / timestats_function> "("<field_name>")" [as new_field_name]]* [by_<field_name>]Parameters
The following table lists the parameters used with this command, along with their descriptions.
| Parameter | Description |
|---|---|
|
|
Use this parameter to specify how the data should be bucketed.
Permitted values for this parameter must follow the format |
|
|
Use this parameter to set the size of each bucket, using a span
length based on time. Permitted values for this parameter must follow the format
|
|
|
Use this parameter to specify the time for sizing the buckets.
Permitted values for this parameter must be either
Syntax:
|
|
|
Field must have a timestamp value. If not specified
|
|
|
Reduce the number of aggregated values to return for a function. |
|
|
When grouping by fields, return n count of distinct groups with the largest aggregated values. |
|
|
When grouping by fields, return n count of distinct groups with the smallest aggregated values |
|
|
Name to display for the chart. |
You can use the functions that are associated with the
stats command with the timestats
command too. For details about the functions and the examples of using the functions with
the command, see stats.
Functions
The following table lists the functions available with this command, along with their examples.
| Function | Examples |
|---|---|
|
persecond: Returns one data point per span interval representing the average rate per second. |
|
|
perminute: Returns one data point per span interval representing the average rate per minute |
|
|
perhour: Returns one data point per span interval representing the average rate per hour |
|
|
perday: Returns one data point per span interval representing the average rate per day |
|
The following query returns the count of fatal log entries over the specified time range.
Severity = fatal | timestats countThe following query returns the count of logs bucketed into daily chunks.
* | timestats span = 1day countReturn the count of log entries, by target over the specified time range for the production targets:
'lifecycle status'='production' | search * | timestats count by targetTime series chart by entity on group property:
* | link Entity, Severity | stats sum('Content Size') as 'Content Size' | timestats avg('Content Size') by EntityTime series chart by entity only for fatal logs:
* | link Entity, Severity | stats sum('Content Size') as 'Content Size' | addfields [ * | where Severity = fatal | timestats avg('Content Size') by Entity ]Limit the time series chart to 20 values:
* | link Entity, Severity | stats sum('Content Size') as 'Content Size' | timestats maxvalues = 20 avg('Content Size')Return the time series charts for top 3 entities:
* | link Entity, Severity | stats sum('Content Size') as 'Content Size' | timestats topcount = 3 avg('Content Size') by EntityReturn the time series charts for bottom 3 entities:
* | link Entity, Severity | stats sum('Content Size') as 'Content Size' | timestats bottomcount = 3 avg('Content Size') by Entity