timechart

Create time-based aggregations with automatic bucketing. Visualize trends and patterns over time.

Description

The timechart command aggregates data into time buckets and calculates statistics for each bucket. Unlike bin + stats, timechart automatically handles time bucketing and is optimized for time-series visualization.

This command is essential for dashboards, trend analysis, and identifying temporal patterns in security events.

Syntax

... | timechart [cont=true] span=<duration> <function>([field]) [as <alias>] [by <split_field>]

Required Arguments

span Syntax: span=<duration> Description: Time bucket size (e.g., 5m, 1h, 1d)

function One or more aggregation functions (count, sum, avg, etc.)

Optional Arguments

by Syntax: by <field> Description: Split results by field values, creating separate series for each unique value

cont Syntax: cont=true Description: Fill time gaps with zeros so the chart renders a continuous line. Without cont=true, only buckets that contain data are returned — if you have data at 10:00 and 10:05 but not 10:01–10:04, those gaps are omitted. With cont=true, zero-valued rows are inserted for empty buckets. Works in any position in the command.

Examples

Hourly event count

* | timechart span=1h count()

Multiple metrics over time

* | timechart span=15m count() as events, sum(bytes) as total_bytes

Split by action

* | timechart span=1h count() by action

Average response time

* | timechart span=5m avg(response_time) as avg_ms

Failed logins over time

action=login status=failure
| timechart span=10m count() by src_ip

Network traffic analysis

* | timechart span=1h sum(bytes_in) as inbound, sum(bytes_out) as outbound

Continuous timeline (fill gaps with zeros)

action=login status=failure
| timechart cont=true span=1m count() by src_ip

Detect traffic spikes

* | timechart span=5m count() as events
  | where events > 1000

User activity timeline

* | timechart span=1h dc(user) as unique_users

Error rate over time

* | timechart span=15m count(eval(status>=500)) as errors, count() as total
  | eval error_rate = (errors / total) * 100

Compare time periods

* | timechart span=1d count() by severity

Usage Notes

Automatic bucketing: Time buckets align to standard intervals (e.g., :00, :05, :10 for 5m span).

Visualization: timechart output is optimized for line charts and area charts.

Split by cardinality: Splitting by high-cardinality fields creates many series. Limit with where or use top first.

Performance: More efficient than manual bin + stats for time-series data.

Related Commands

• bin - Manual time bucketing
• stats - General aggregation
• chart - Non-time-based visualization