Welcome back to SPL Dispatch. A short, practical series on SPL commands you’ll actually use in the trenches.

We’ve tamed tstats. We’ve befriended eventstats. Now it’s time to take things temporal. Enter: timechart.

Why timechart Matters

Security trends happen over time. Peaks, dips, patterns. Without time series aggregation, you're flying blind. timechart turns raw logs into timelines you can read at a glance.

It’s perfect for:

• Spotting anomalies

• Baselining behavior

• Showing off in dashboards

The Basics

... | timechart count by sourcetype

You’ll get a time series of event counts for each sourcetype. Swap in avg(bytes) or sum(bytes) if you're tracking volume.

Threat Hunting Use Cases

Detect Beaconing:

index=thrunt sourcetype=proxy_logs

| timechart span=1m count by dest_ip

| fillnull value=0

Look for a consistent interval in outbound requests, especially when the count flatlines across time. Bots love regularity.

Sure, you could try to bin _time manually and stitch together a stats table… but that’s like using a butter knife to cut a steak. timechart is made for this. It gives you time resolution, trendlines, and gaps. All in one. Voila. 🤌

Lateral Movement Patterns:

index=thrunt sourcetype=wineventlog EventCode=4672

| timechart span=15m count by src_ip

Why Event Code 4672?
This Windows Security event fires when a user receives special privileges, like SeDebugPrivilege or SeTcbPrivilege, which are typically assigned to high-value accounts (admins, service accounts, etc.). These are the keys to the kingdom.

Special privileges don’t just get handed out for fun. A sharp spike in 4672 events from a single src_ip, especially outside business hours or across multiple hosts, can signal lateral movement or privilege escalation in progress.

timechart makes those patterns obvious. Instead of scrolling through raw events, you’ll see sudden bursts that break the baseline. A quiet host that lights up with privilege use? That’s not routine. That’s a thrunt-worthy lead.

Quick Tips

• span= controls the resolution. Start wider (1h) and zoom in (1m) if needed.

• Use limit=0 when breaking out many values to avoid truncation.

• null() values? Try | fillnull value=0 to keep charts clean, as shown in the first use case.

Your Move

Drop this into your next hunt, dashboard, or detection. timechart makes the invisible visible. Just give it a span, a metric, and a reason.

Got a favorite way to use timechart?

Post it in the comments or bring it to Ask-a-Thrunter at the end of every month.

Other timechart posts worth checking out

• timechart - Search Reference - Splunk

• Search commands > stats, chart, and timechart

• Comparing week-over-week results with timechart

• Kinney Group - Using the timechart Command

  THOR Collective Dispatch is a reader-supported publication. To receive new posts and support my work, consider becoming a free or paid subscriber.

  Subscribe