Chart gallery
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Contents
Chart gallery
You can use Splunk's report builder, combined with Splunk's powerful reporting command language, to generate charts that visualize report data in a number of different ways.
In this topic we discuss the different kinds of charts that Splunk makes available to you and describes some of the situations that each chart type is best suited for.
For more information about the report builder, see Define reports and generate charts in this manual.
Column and bar charts
Use a column chart or bar chart to compare the frequency of values of fields in your data. In a column chart, the x-axis values are typically field values (or time) and the y-axis can be any other field value, count of values, or statistical calculation of a field value. Bar charts are exactly the same, except that the x-axis and y-axis values are reversed.
The following column chart presents the results of this search, which uses internal Splunk metrics. It finds the total sum of CPU_seconds by processor, and then arranges the processors with the top ten sums in descending order:
index=_internal "group=pipeline" | stats sum(cpu_seconds) as totalCPUSeconds by processor | sort 10 totalCPUSeconds desc 
Stacked column and bar charts
You can also use stacked column charts and stacked bar charts to compare the frequency of values of fields in your data. A stacked column chart is the same as a regular column chart, except all of the columns are segments of a single column. The value of the total column is the sum of the segments.
Note: You can use a stacked column or bar chart to highlight the relative weight (importance) of data within a set of your data.
The following chart illustrates the usage of Splunk manuals shortly after the release of Splunk 4. Each column segment represents the number of page views for a particular manual in a 10-minute-long slice of time:
Line chart
Use a line chart to show trends in your data over time or another field. You can display more than one series in a line chart.
Area chart
Use an area chart to display trends in your data either over time or in comparison to another field value. The shaded areas under the data points help emphasize quantities.
The following area chart is derived from this search:
sourcetype="tcptrace" | search host1_rexmt_data_pkts>0 OR host2_rexmt_data_pkts>0 | timechart max(host1_rexmt_data_pkts),max(host2_rexmt_data_pkts) | fillnull value=0 | rename max(host1_rexmt_data_pkts) as "Packet Retransmits from me",max(host2_rexmt_data_pkts) as "Packet Retransmits to me"
Stacked area chart
Use a stacked area chart to show multiple series among the trends in your data the way an area chart can. A stacked area chart shows how each data series relates to the entire set of data as a whole.
The following chart is another example of a chart that presents information from internal Splunk metrics. The search used to create it is:
index=_internal per_sourcetype_thruput | timechart sum(kb) by series useother=f
Pie chart
Use a pie chart to show the relationship of parts of your data to the entire set of data as a whole. The size of a slice in a pie graph is determined by the size of a value of part of your data as a percentage of the total of all values.
The following pie chart presents the network traffic "pools" with the most activity over the past 24 hours. Note that you can get metrics for individual pie chart wedges by mousing over them.
Scatter chart
Use a scatter chart ( or "scatter plot") to show trends in the relationships between discrete values of your data. Generally, a scatter plot shows discrete values that do not occur at regular intervals or belong to a series. This is different from a line graph, which usually plots a regular series of points.
Another way of looking at scatter plots is they help you visualize situations where you may have multiple y-axis values for each x-axis value even though you're not charting multiple series. This can happen if you graph events directly with a search like:
* | fields - _* | fields clientip bytesThis search finds all of the packets recieved from various clientips and then orders them according to the number of bytes in each packet.
- Note that the search removes all fields with a leading underscore, such as the
_timefield. - The second
fieldscommand isolates the two fields that you want for the x and y axis of the chart, respectively. The y axis value should be numerical for best results. (So in this case, the x axis isclientipwhile the y axis isbytes.)
Note: To create a scatter plot chart like this, you need to enter the reporting commands directly into the Report Builder, by clicking Define report data using search language. You can run this report from the search bar, but when you open up Report Builder, it adds a timechart command that you should remove before formatting the report.
More complex scatter charts can be set up in dashboards using our XML-based dashboard construction syntax. Instructions for designing scatter charts in dashboards are coming soon.
Bubble chart
Use a bubble chart to show trends and the relative importance of discrete values in your data.
The size of a bubble indicates a value's relative importance. It represents a third dimension on top of the x-axis and y-axis values that plot the bubble's position on the chart. This dimension determines the bubble's size relative to the others in the chart.
Note: Bubble charting is disabled in the current version of Splunk.
This documentation applies to the following versions of Splunk: 4.0 , 4.0.1 , 4.0.2 , 4.0.3 , 4.0.4 , 4.0.5 , 4.0.6 , 4.0.7 , 4.0.8 , 4.0.9 , 4.0.10 , 4.0.11 View the Article History for its revisions.