Skip to main content Link Search Menu Expand Document (external link)

Examples - Time Series

Table of contents

Apart from the basic statistics of variables, how they change with time is another important thing we care about. From the time series of a variable, potentially anomalous activitis can be found.

The time series is carried out by the command timechart.

function aws_Region_timechart()
    search {from="-7d@d", to="@d"} sContent("@event_type","@cloudtrail")
    let {awsRegion} =f("@cloudtrail")
    let timestamp=f("@timestamp")
    timechart {span="1h"} count_Region_timechart=count() by awsRegion
end
function aws_eventName_timechart()
    search {from="-7d@d", to="@d"} sContent("@event_type","@cloudtrail")
    let {eventName} =f("@cloudtrail")
    let timestamp=f("@timestamp")
    timechart {span="1h"} count_eventName_timechart=count() by eventName
end
function aws_eventType_timechart()
    search {from="-7d@d", to="@d"} sContent("@event_type","@cloudtrail")
    let {eventType} =f("@cloudtrail")
    let timestamp=f("@timestamp")
    timechart {span="1h"} count_eventType_timechart=count() by eventType
end
stream aws_Region_timechart=aws_Region_timechart()
stream aws_eventName_timechart=aws_eventName_timechart()
stream aws_eventType_timechart=aws_eventType_timechart()

In this example, the time series of region, event name and type are given.