Splunk Cloud Platform

Splunk Cloud Platform Splunk Enterprise Data Management Splunk Observability Cloud Splunk IT Service Intelligence AppDynamics SaaS AppDynamics On-Premises AppDynamics SAP Agent Splunk Enterprise Security 8 Splunk Enterprise Security 7 Splunk SOAR Security Offerings Release Notes and Updates Supported Add-ons Splunk Style Guide

Splunk Cloud Platform Splunk Enterprise Data Management Splunk Observability Cloud Splunk IT Service Intelligence AppDynamics SaaS AppDynamics On-Premises AppDynamics SAP Agent Splunk Enterprise Security 8 Splunk Enterprise Security 7 Splunk SOAR Security Offerings Release Notes and Updates Supported Add-ons Splunk Style Guide

Splunk Cloud Platform

Splunk Cloud Platform Contents

Get Started

Administer

Search

SPL2 Search Reference

timechart command

timechart command: Examples

Manage Knowledge Objects

Leverage REST APIs

Release Notes

Analytics and Insights

Create Dashboards and Reports

Alert and Respond

Apply Machine Learning

Data Sources

Get Data In

Ingest Data from Cloud Services

Forward and Process Data

Process Data at the Edge

Process Data at Ingest Time

Collect Stream Data

Connect Relational Databases

Common Information Model

InfoSec App for Splunk

OT Intelligence

Using Splunk Mobile

REST API Reference

SPL Search Reference

Splunk Validated Architectures

Developing Views and Apps for Splunk Web

MCP Server for Splunk Platform

timechart command: Examples

The following are examples for using the SPL2 timechart command.

1. Charting the count for each host in 1 hour increments

For each hour, calculate the count for each host value.

...| timechart span=1h count() by host

2. Charting the average of "CPU" for each "host"

For each minute, calculate the average value of "CPU" for each "host".

... | timechart span=1m avg(CPU) BY host

3. Charting the product of two averages for each host

For each minute, calculate the product of the average "CPU" and average "MEM" and group the results by each host value. This example uses an <eval-expression> with the avg stats function, instead of a field.

... | timechart span=1m eval(avg(CPU) * avg(MEM)) BY host

4. Charting the average of cpu_seconds by processor

Create a timechart of the average of cpu_seconds by processor, rounded to 2 decimal places.

... | timechart eval(round(avg(cpu_seconds),2)) BY processor

5. Charting the average "thruput" of hosts over time

Create a timechart of the average of the thruput field and group the results by each host value.

... | timechart span=5m avg(thruput) BY host

6. Aligning the chart time bins to local time

Align the time bins to 5 AM at local time. Set the span to 12h. The bins will represent 5 AM to 5 PM, then 5 PM to 5 AM the next day, and so on.

...| timechart _time span=12h aligntime=@d+5h

See also

timechart command

timechart command: Overview and syntax

timechart command: Usage

ON THIS PAGE

1. Charting the count for each host in 1 hour increments
2. Charting the average of "CPU" for each "host"
3. Charting the product of two averages for each host
4. Charting the average of cpu_seconds by processor
5. Charting the average "thruput" of hosts over time
6. Aligning the chart time bins to local time
See also

Last updated: January 16, 2026

Explore Topics

Splunk Cloud Platform

Splunk Enterprise

Data Management

Splunk Observability Cloud

Splunk IT Service Intelligence

AppDynamics SaaS

AppDynamics On-Premises

AppDynamics SAP Agent

Splunk Enterprise Security 8

Splunk Enterprise Security 7

Splunk SOAR

Security Offerings

Release Notes and Updates

Supported Add-ons

Splunk Style Guide

©2005-2025 Splunk Inc. All rights reserved.