Timecluster Command

Use this command to group the time-series charts together based on how similar they are to one another.

Syntax

timecluster [<timecluster_options>] <stats_function> (<field_name>) [as new_field_name] [, <stats_function> (<field_name>) [as new_field_name]]* by <field_name> [, <field_name>]*

Parameters

The following table lists the parameters used with this command, along with their descriptions.

Parameter	Description
`span`	Use this parameter to set the size of each bucket, using a span length based on time. Permitted values for this parameter must follow the format `<int><timescale>`.
`timescale`	Use this parameter to specify the time for sizing the buckets. Permitted values for this parameter must be either `<sec>`, `<min>`, `<hour>`, `<day>`, `<week>`, or `<mon>`. Syntax for the permitted values: `sec`: `s` \| `sec` \| `secs` \| `second` \| `seconds` `min`: `m` \| `min` \| `mins` \| `minute` \| `minutes` `hour`: `h` \| `hr` \| `hrs` \| `hour` \| `hours` `day`: `d` \| `day` \| `days` `week`: `w` \| `week` \| `weeks` `month`: `mon` \| `month` \| `months`
`field`	The field must have a timestamp value. If not, `Start Time` is used.
`limit`	Use this parameter to specify the number of values to return for each function.
`chart_name`	Use this parameter to specify the name to display for the chart.

Cluster time-series pattern by entity:

* | link Entity | stats sum('Content Size') as 'Content Size'  | timecluster avg('Content Size') by Entity