Get Started

Splunk timechart Command: Time-Series Analysis for Security Dashboards

Splunk SPL Commands
R
Rhombic LLC
Splunk Consulting & Cyber Security · 2 min read

What Is the timechart Command?

The timechart command is Splunk’s primary tool for time-series statistical analysis. It automatically buckets events by time intervals and applies aggregate functions, making it the backbone of nearly every Splunk dashboard panel. If stats is the engine of SPL, timechart is the dashboard fuel.

Core Syntax

| timechart [span=<time-range>] <function>(<field>) [BY <split-field>]

The span argument controls the time bucket size. Without it, Splunk automatically selects an appropriate interval based on your time range.

Common Span Values

Span Use Case
span=1m Real-time monitoring, high-frequency events
span=5m Near real-time alerting
span=1h Hourly trend analysis
span=1d Daily summaries, compliance reporting
span=1w Weekly executive reports

Security Operations Examples

1. Authentication Failure Trends (NIST AC-7)

Visualize failed login trends over time to detect brute-force campaigns and satisfy AC-7 monitoring requirements.

index=security sourcetype=WinEventLog:Security EventCode=4625
| timechart span=1h count BY Account_Name
| where count > 5

2. Firewall Denied Connections by Zone

Track denied connections across network zones to identify scanning activity or misconfigured rules.

index=network sourcetype=firewall action=denied
| timechart span=15m count BY dest_zone

3. Data Ingestion Volume Monitoring

Monitor your Splunk licensing and ingestion patterns — critical for capacity planning and cost management.

index=_internal sourcetype=splunkd group=per_index_thruput
| timechart span=1h sum(kb) AS total_kb BY series
| eval total_GB = round(total_kb / 1048576, 3)

4. Malware Detection Rate Over Time

index=endpoint sourcetype=symantec:ep:risk
| timechart span=1d count BY Risk_Name limit=10

Advanced Techniques

The limit Argument

When splitting by a field with many values, use limit to control how many series appear. The remaining values are grouped into “OTHER”.

| timechart span=1h count BY src_ip limit=5

Using useother and usenull

| timechart span=1h count BY status useother=false usenull=false

Set useother=false to hide the “OTHER” bucket, and usenull=false to exclude events where the split field is missing.

Combining with where for Threshold Alerting

index=security sourcetype=WinEventLog:Security EventCode=4625
| timechart span=5m count AS failures
| where failures > 50

timechart vs. chart vs. stats

Command Time Axis Best For
timechart Automatic (_time) Time-series dashboards, trend analysis
chart User-defined (any field) Multi-dimensional comparisons
stats None Raw aggregation, reports, tables

Best Practices

  • Choose span intentionally — Too granular and you get noise; too wide and you miss spikes. Match span to your alerting or reporting cadence.
  • Use limit to control cardinality — High-cardinality split fields (like src_ip) can create unreadable charts. Limit to 5-10 series.
  • Pair with trendline — Layer | trendline sma5(count) AS trend after timechart for smoothed trend lines.
  • Use for dashboards, not ad-hoc — For quick exploration, stats is faster. Use timechart when you need visual time-series output.

Next in the series: The chart command — multi-dimensional summaries beyond the time axis.

Next in the Rhombic SPL Series → Splunk chart Command

Tagged , , , , ,