Default: top 10 partial Syntax: partial= Description: Controls if partial time bins should be retained or not. For example, 'BAR' takes precedence over 'bar', which takes precedence over 'foo'. Ties in scoring are broken lexicographically, based on the value of the split-by field. For example, for timechart avg(foo) max(bar) BY, the top scoring values for are the most common values of. If multiple aggregations are specified, the score is based on the frequency of each value of.For example, for timechart avg(foo) BY, the avg(foo) values are added up for each value of to determine the scores. If a single aggregation is specified, the score is based on the sum of the values in the aggregation for that split-by value.All other values are grouped into 'OTHER', as long as useother is not set to false. Setting limit=bottom N keeps the lowest scoring distinct values of the split-by field. Setting limit=N or limit=top N keeps the N highest scoring distinct values of the split-by field. If set to limit=0, all distinct values are used. limit Syntax: limit=(top | bottom) Description: Specifies a limit for the number of distinct values of the split-by field to return. format takes precedence over sep and allows you to specify a parameterized expression with the stats aggregator and function ($AGG$) and the value of the split-by-field ($VAL$).
#SPLUNK TIMECHART SERIES#
Default: true format Syntax: format= Description: Used to construct output field names when multiple data series are used in conjunction with a split-by-field. Setting fixedrange=false allows the timechart command to constrict or expand to the time range covered by all events in the dataset. Default: false fixedrange Syntax: fixedrange= Description: Specifies whether or not to enforce the earliest and latest times of the search. Default: true dedup_splitvals Syntax: dedup_splitvals= Description: Specifies whether to remove duplicate values in multivalued fields. If set to true, the Search application fills in the time gaps. Default: bins=100 cont Syntax: cont= Description: Specifies whether the chart is continuous or not. See the Bin options section in this topic. The bin-options set the maximum number of bins, not the target number of bins. bin-options Syntax: bins | minspan | span | | aligntime Description: Options that you can use to specify discrete bins, or groups, to organize the information. You can use wild card characters in field names. Use the AS clause to place the result into a new field with a name that you specify. The function can be applied to an eval expression, or to a field or set of fields. Optional arguments agg= Syntax:agg=( ( | ) ) Description: A statistical aggregation function. See the tc options and the where clause sections in this topic. Use the to specify the number of columns to include. Discretization is defined with the tc-options. If field is numerical, default discretization is applied. Description: Specifies a field to split the results by. The field must be specified, except when using the count function, which applies to events as a whole. single-agg Syntax: count | () Description: A single aggregation applied to a single field, including an evaluated field. When concatenating values with a period '.' the search treats both values as strings, regardless of their actual data type. Additionally, the search can concatenate the two operands if they are both strings. For example, with the exception of addition, arithmetic operations might not produce valid results if the values are not numerical. For these evaluations to work, your values need to be valid for the type of operation. When specifying timechart command arguments, either or BY is required.Įval-expression Syntax: | | | | Description: A combination of literals, fields, operators, and functions that represent the value of your destination field. Timechart ( ( ) | ( ) BY ) Required arguments If you set limit=0, no series filtering occurs. These options are ignored if you specify an explicit where-clause. With the limit and agg options, you can specify series filtering. If you use an eval expression, the split-by clause is required. You can specify a split-by field, where each distinct value of the split-by field becomes a series in the chart. Creates a time series chart with corresponding table of statistics.Ī timechart is a statistical aggregation applied to a field to produce a chart, with time used as the X-axis.
0 kommentar(er)
