Splunk Cloud Platform

Splunk Observability Cloud Splunk IT Service Intelligence Splunk Cloud Platform Splunk Enterprise Data Management Splunk Enterprise Security 8 Splunk Enterprise Security 7 Splunk SOAR Security Offerings AppDynamics SaaS About This Site Community Support Supported Add-ons

Splunk Observability Cloud Splunk IT Service Intelligence Splunk Cloud Platform Splunk Enterprise Data Management Splunk Enterprise Security 8 Splunk Enterprise Security 7 Splunk SOAR Security Offerings AppDynamics SaaS About This Site Community Support Supported Add-ons

Documentation

Splunk Cloud Platform

Splunk Cloud Platform Contents

Get Started

Administer

Manage Knowledge Objects

Search

SPL2 Search Reference

Leverage REST APIs

Release Notes

Analytics and Insights

Create Dashboards and Reports

Alert and Respond

Apply Machine Learning

Data Sources

Get Data In

Ingest Data from Cloud Services

Forward and Process Data

Process Data at the Edge

Process Data at Ingest Time

Collect Stream Data

Connect Relational Databases

REST API Reference

SPL Search Reference

Splunk Validated Architectures

timechart command: Examples

The following are examples for using the SPL2 timechart command.

1. Chart the count for each host in 1 hour increments

For each hour, calculate the count for each host value.

...| timechart span=1h count() by host

2. Chart the average of "CPU" for each "host"

For each minute, calculate the average value of "CPU" for each "host".

... | timechart span=1m avg(CPU) BY host

3. Chart the product of two averages for each host

For each minute, calculate the product of the average "CPU" and average "MEM" and group the results by each host value. This example uses an <eval-expression> with the avg stats function, instead of a <field>.

... | timechart span=1m eval(avg(CPU) * avg(MEM)) BY host

4. Chart the average of cpu_seconds by processor

Create a timechart of the average of cpu_seconds by processor, rounded to 2 decimal places.

... | timechart eval(round(avg(cpu_seconds),2)) BY processor

5. Chart the average "thruput" of hosts over time

Create a timechart of the average of the thruput field and group the results by each host value.

... | timechart span=5m avg(thruput) BY host

6. Align the chart time bins to local time

Align the time bins to 5am (local time). Set the span to 12h. The bins will represent 5am - 5pm, then 5pm - 5am (the next day), and so on.

...| timechart _time span=12h aligntime=@d+5h

See also

timechart command

timechart command: Overview and syntax

timechart command: Usage

ON THIS PAGE

1. Chart the count for each host in 1 hour increments
2. Chart the average of "CPU" for each "host"
3. Chart the product of two averages for each host
4. Chart the average of cpu_seconds by processor
5. Chart the average "thruput" of hosts over time
6. Align the chart time bins to local time
See also

Last updated: May 28, 2025

Explore Topics

Splunk Observability Cloud

Splunk IT Service Intelligence

Splunk Cloud Platform

Splunk Enterprise

Data Management

Splunk Enterprise Security 8

Splunk Enterprise Security 7

Splunk SOAR

Security Offerings

AppDynamics SaaS

About This Site

Community Support

Supported Add-ons

©2005-2025 Splunk Inc. All rights reserved.