chart

chart

Synopsis

Returns results in a tabular output for charting.

Syntax

chart [cont=<bool>] [limit=<int>] [agg=<stats-agg-term>] [<stats-agg-term> | <eval-expression>]+ [by <field> (<bucketing-option> )* [<split-by-clause>]] | [ over <field> (<bucketing-option>)* [by <split-by-clause>]]

For a list of chart functions with descriptions and examples, see "Functions for stats, chart, and timechart".

Arguments

agg

Datatype: <stats-agg-term>

Description: For a list of stats functions with descriptions and examples, see "Functions for stats, chart, and timechart".

bucketing-option

Datatype: bins | span | <start-end>

Description: Discretization options. If a bucketing option is not supplied, timechart defaults to bins=300. This finds the smallest bucket size that results in no more than 300 distinct buckets. For more bucketing options, see the bucket command reference.

cont

Datatype: <bool>

Description: Specifies whether its continuous or not.

eval-expression

Datatype: <eval-math-exp> | <eval-concat-exp> | <eval-compare-exp> | <eval-bool-exp> | <eval-function-call>

Description: A combination of literals, fields, operators, and functions that represent the value of your destination field. The following are the basic operations you can perform with eval. For these evaluations to work, your values need to be valid for the type of operation. For example, with the exception of addition, arithmetic operations may not produce valid results if the values are not numerical. Additionally, Splunk can concatenate the two operands if they are both strings. When concatenating values with '.', Splunk treats both values as strings regardless of their actual type.

limit

Datatype: <int>

Description: Specify a limit for series filtering; limit=0 means no filtering.

single-agg

Datatype: count|<stats-func>(<field>)

Description: A single aggregation applied to a single field (can be evaled field). No wildcards are allowed. The field must be specified, except when using the special 'count' aggregator that applies to events as a whole.

split-by-clause

Datatype: <field> (<tc-option>)* [<where-clause>]

Description: Specifies a field to split by. If field is numerical, default discretization is applied; discretization is defined with tc-option.

tc options

tc-option

Syntax: <bucketing-option> | usenull=<bool> | useother=<bool> | nullstr=<string> | otherstr=<string>

Description: Options for controlling the behavior of splitting by a field.

usenull

Datatype: <bool>

Description: controls whether or not a series is created for events that do not contain the split-by field.

nullstr

Datatype: <string>

Description: If usenull is true, this series is labeled by the value of the nullstr option, and defaults to NULL.

useother

Datatype: <bool>

Description: specifies if a series should be added for data series not included in the graph because they did not meet the criteria of the <where-clause>. Defaults to True|T.

otherstr

Dataype: <string>

Description: If useother is true, this series is labeled by the value of the otherstr option, and defaults to OTHER.

where clause

where clause

Syntax: <single-agg> <where-comp>

Description: Specifies the criteria for including particular data series when a field is given in the tc-by-clause. The most common use of this option is to select for spikes rather than overall mass of distribution in series selection. The default value finds the top ten series by area under the curve. Alternately one could replace sum with max to find the series with the ten highest spikes.This has no relation to the where command.

<where-comp>

Syntax: <wherein-comp> | <wherethresh-comp>

Description: A criteria for the where clause.

<wherein-comp>

Syntax: (in|notin) (top|bottom)<int>

Description: A where-clause criteria that requires the aggregated series value be in or not in some top or bottom grouping.

<wherethresh-comp>

Syntax: (<|>)( )?<num>

Description: A where-clause criteria that requires the aggregated series value be greater than or less than some numeric threshold.

Description

Create tabular data output suitable for charting. The x-axis variable is specified by field and is discretized if necessary. Charted fields are converted to numerical quantities if necessary.

Whereas timechart generates a chart with _time as the x-axis, chart produces a table with an arbitrary field as the x-axis. In addition, chart allows for a split-by field. When such a field is included, the output will be a table where each column represents a distinct value of the split-by field.

This is in contrast with stats, where each row represents a single unique combination of values of the group-by fields. The number of columns to be included is by default limited to 10, but can be adjusted by the inclusion of an optional where clause. See where-clause for a more detailed description.

Chart allows for an eval-expression, which is required to be renamed unless a split-by clause is present. You can also specify the the x-axis field after the over keyword, before any by and subsequent split-by clause. The limit and agg options allow easier specification of series filtering. The limit=0 means no series filtering. The limit and agg options are ignored if an explicit where clause is provided.

Examples

Example 1: Return max(delay) for each value of foo.

Example 2: Return max(delay) for each value of foo split by the value of bar.

Example 3: Return the ratio of the average (mean) "size" to the maximum "delay" for each distinct "host" and "user" pair.

Example 4: Return the the maximum "delay" by "size", where "size" is broken down into a maximum of 10 equal sized buckets.

Example 5: Return the average (mean) "size" for each distinct "host".

See also

timechart, bucket, sichart

• Was this topic useful?
• Post a comment