Chart gallery

Chart gallery

You can use Splunk's report builder, combined with Splunk's powerful reporting command language, to generate charts that visualize report data in a number of different ways.

In this topic we discuss the different kinds of charts that Splunk makes available to you and describes some of the situations that each chart type is best suited for.

We also discuss the data structure requirements of the different chart types. For example, we explain why you cannot build a chart using a table that does not include a valid y-axis field, and we explain why some searches enable you to generate bar, column, line, and area charts, but not pie charts.

For more information about the report builder, see "Define reports and generate charts" in this manual.

Column and bar charts

Use a column chart or bar chart to compare the frequency of values of fields in your data. In a column chart, the x-axis values are typically field values (or time) and the y-axis can be any other field value, count of values, or statistical calculation of a field value. Bar charts are exactly the same, except that the x-axis and y-axis values are reversed.

The following bar chart presents the results of this search, which uses internal Splunk metrics. It finds the total sum of CPU_seconds by processor, and then arranges the processors with the top ten sums in descending order:

Stacked column and bar charts

You can also use stacked column charts and stacked bar charts to compare the frequency of values of fields in your data. A stacked column chart is the same as a regular column chart, except all of the columns are segments of a single column. The value of the total column is the sum of the segments.

Note: You can use a stacked column or bar chart to highlight the relative weight (importance) of data within a set of your data.

The following chart illustrates the usage of Splunk manuals shortly after the release of Splunk 4. Each column segment represents the number of page views for a particular manual in a 10-minute-long slice of time:

Line chart

Use a line chart to show trends in your data over time or another field. You can display more than one series in a line chart.

Area chart

Use an area chart to display trends in your data either over time or in comparison to another field value. The shaded areas under the data points help emphasize quantities.

The following area chart is derived from this search:

Stacked area chart

Use a stacked area chart to show multiple series among the trends in your data the way an area chart can. A stacked area chart shows how each data series relates to the entire set of data as a whole.

The following chart is another example of a chart that presents information from internal Splunk metrics. The search used to create it is:

Pie chart

Use a pie chart to show the relationship of parts of your data to the entire set of data as a whole. The size of a slice in a pie graph is determined by the size of a value of part of your data as a percentage of the total of all values.

The following pie chart presents the network traffic "pools" with the most activity over the past 24 hours. Note that you can get metrics for individual pie chart wedges by mousing over them.

Scatter chart

Use a scatter chart ( or "scatter plot") to show trends in the relationships between discrete values of your data. Generally, a scatter plot shows discrete values that do not occur at regular intervals or belong to a series. This is different from a line graph, which usually plots a regular series of points.

Here's an example of a search that can be used to generate a scatter chart. It finds all of the packets received from various client IP addresses and then orders them according to the number of bytes in each packet.

For more information about the search used to generate this scatter chart, and about the data structures that scatter charts require, see the "Chart data structure requirements" subtopic, below.

Bubble chart

Use a bubble chart to show trends and the relative importance of discrete values in your data.

The size of a bubble indicates a value's relative importance. It represents a third dimension on top of the x-axis and y-axis values that plot the bubble's position on the chart. This dimension determines the bubble's size relative to the others in the chart.

Note: Bubble charting via the Report Builder is disabled in the current version of Splunk. However, you can set up bubble charts in dashboards using Splunk's view XML. For more information see the Custom charting configuration reference chapter in the Developer manual.

Gauge

The gauge chart types enable you to see a single numerical value mapped against a range of colors that may have particular business meaning or business logic. As the value changes over time, the gauge marker changes position within this range. Gauges are designed to provide an especially dynamic visualization for real-time searches, where the value returned fluctuates as events are returned, causing the gauge marker to visibly bounce back and forth within the range as you watch it.

You can define the overall numerical range represented by the gauge, and you can define the size of the colored bands within that range. By default you can set three bands of green, yellow, and red, displayed in that order. For example, if your range extends from 1 to 100, you could have the 0-59 portion of the range be green, the 60-84 portion of the band be yellow, and the 85-100 portion of the range be red.

The easiest way to set the range is by defining a search that uses the new gauge search command. The gauge command enables you to indicate the field whose value will be tracked by the gauge. If you want to use the color bands, you can add four "range values" to the search string that indicate the beginning and end of the range as well as the relative sizes of the color bands within it.

For example, to set up a gauge that tracks a hitcount field value with the ranges mentioned above, you might use the following search string:

There are three types of gauges that you can choose from: radial, filler, and marker.

Note: The gauge chart type is similar in behavior to the "single value" dashboard panel type in that both visualizations are designed to be used in conjunction with searches that return a single numerical result and associate color codes with the number returned.

Radial gauge

The radial gauge type looks essentially like a speedometer or pressure valve gauge. It has an arced range scale and a rotating needle. The current value of the needle is displayed at the bottom of the gauge (in the case of the example below, the value is 915). If the value ever falls outside of the top range of the gauge, the needle "flutters" at the boundary and a warning icon appears.

This radial gauge example represents this simple search, which is run in real time with a one-minute window:

Filler gauge

The filler gauge is similar in appearance to a thermometer, with a liquid-like filler indicator that changes color as it rises and passes gauge boundaries. So if you have set up three boundaries, the liquid will appear to be green when it is near the bottom, yellow when it reaches the midpoint boundary, and red when it gets to the top. The current value of the gauge fill is displayed at the left side of the filler indicator. If the value ever falls outside of the upper or lower ranges of the filler gauge, a warning icon appears.

The filler gauge is oriented vertically by default but can be oriented horizontally through custom charting configuration.

Marker gauge

The marker gauge is a linear version of the filler gauge. It is already "filled"; a gauge marker rests at the value returned by the search. If the gauge is displaying the results of a real-time search, the marker can appear to slide back and forth across the range as the returned value fluctuates over time. If the returned value falls outside of the upper or lower ranges of the marker gauge, the marker appears to vibrate at the upper or lower boundary and a warning icon appears.

The marker gauge is oriented vertically by default but can be oriented horizontally through custom charting configuration.

Marker gauges have display issues with numbers exceeding 3 digits in length. To manage this, you can set up a search that divides a large number by a factor that reduces it to a smaller number. For example, if the value returned is typically in the tens of thousands, set your search up so the result is divided by 1000. Then a result of 19,100 becomes 19.1.

You can also deal with large numbers by setting the chart configuration options so the range is expressed as a percentage. For more about that, see the next subsection.

Changing the gauge display defaults

You can change the default display mode of the three gauge types in dashboard panels by setting up custom charting configurations in the xml behind the panel. For details, see the "Custom charting configuration reference" chapter in the Developer Manual (or, more specifically, the "Chart and legend properties" topic in that same manual).

Among the chart configuration properties available for gauges, there are three that we think most users will want to be aware of. They apply to all three gauge types.

• style - Controls the overall appearance of the gauge. There are two possible values: shiny and minimal. The shiny style is the default and presents the gauge with chrome, shading and other graphic qualities that cause it to mimic the appearance of real-world gauges. The minimal style is a stripped-down, "back-to-basics" version of the gauge.
• rangeValues - Represents the overall numerical range represented by the gauge, and the relative size of the color-coded subranges within that overall range. For example, a range of [O,30,70,100] would indicate that the gauge starts at zero, ends at 100 and has three subranges that are each identified by a different color. It is important to note that when you specify range values in the xml, they override range values that are specified through the search upon which the dashboard panel is based.
• gaugeColors - Specifies a list of hexadecimal color values from which the range band colors are generated. Colors display in the order indicated in the array. You can specify any number of colors. If your gauge has more or less range intervals (specified either through the underlying search language or via the rangeValues parameter) Splunk will interpolate the colors as necessary. The default gaugeColors are green-yellow-red ([0x84E900,0xFFE800,0xBF3030]).

Here's an example of simple XML code for a chart where the minimal style is selected, the rangeValues are defined, and the gaugeColors are set up to display in reverse order (red-yellow-green):

<option name="charting.chart">radialGauge</option>
<option name="charting.chart.style">minimal</option>
<option name="charting.chart.rangeValues">[0,30,70,100]</option>
<option name="charting.gaugeColors">[0xBF3030,0xFFE800,0x84E900]</option>

Note: If you're using advanced XML, change option to param. See "Advanced charting options" in the Developer Manual for more information.

You can also:

• arrange to have filler and marker gauges appear in a horizontal orientation by setting <option name="charting.chart.orientation">x</option>.
• have a gauge in a dashboard panel display its range as a percentage. This is one way you can manage ranges that are over four digits in size. The parameters that affect this are usePercentageRange and usePercentageValue; set them to true to format gauge and range values as percentages.

Other chart types

Splunk enables the creation of other chart types in dashboard panels using Splunk's view XML (you cannot currently use the Report Builder to generate them). These chart types include:

• Histograms
• Range marker charts
• Ratio bar charts
• Value marker charts

For more information about these chart types, the data structures required to support them, and their view XML properties, see the Custom charting configuration reference chapter in the Developer manual.

Chart data structure requirements

Each chart type requires specific structures of data in order to create meaningful charts. This subsection covers these different data structures, and explains why some searches allow you to generate bar and column charts, but not pie charts.

Column, line, and area charts

It's important to understand that column, line, and area charts are two-dimensional charts supporting one or more series. They plot data on a Cartesian coordinate system, working off of tables that have at least two columns, where the first column contains x-axis values and the subsequent columns contain y-axis values (each column represents a series). This is why "Values over time" searches and searches that include splitbys are among those that are available as column, line, and area charts.

If you want to generate a column, line, or area chart from a search, that search must produce a table matching the description provided in the preceding paragraph. For example, any search using the timechart reporting command will generate a table where _time is the first column (and therefore the x-axis of any column, line, or area chart generated from those results). You'll get the same result with most basic searches involving reporting commands.

For example, a search like this, where the over operator indicates that source is the x-axis:

produces a two-column, single-series table like this:

In this table, the x-axis is source, and the y-axis is avg(bytes). With it you can produce a column chart that compares the average number of bytes passed through each source.

Say you change up the search a bit by adding clientip as a splitby field:

This produces a table that features multiple series:

In this table, the x-axis is still source, and the y-axis is still avg(bytes), but it now breaks out the avg(bytes) by clientip, creating a table with multiple series. You might generate a stacked column chart to represent this data.

You run into trouble when you design a complex search that returns a result table that lacks a valid x-axis or y-axis value. This can happen when you use the eval and fields commands to force a particular arrangement of columns in the finished table, for example.

Bar charts

Bar charts have the same data structure requirements as column, line, and area charts, except that the x- and y-axes are reversed. So they are working off of tables that have at least two columns, where the first column contains y-axis values and the subsequent columns contain x-axis values.

Pie charts

Pie charts are one dimensional and only support a single series. They work off of tables with just two columns, where the first column contains the labels for each slice of the pie, and the second column contains numerical values that correspond to each label, determining the relative size of each slice. If the table generated by the search contains additional columns, those extra columns have no meaning in the terms of the pie chart and are ignored.

Of the two "column, line, and area charts" search examples noted above, the first is the only one that could be used to make a pie chart. The source column would provide the wedge labels, and the avg(bytes) column would provide the relative sizes of the wedges (as percentages of the sum of avg(bytes) returned by the search).

Scatter charts

Scatter charts are cartesian charts that render data as scattered markers. They help you visualize situations where you may have multiple y-axis values for each x-axis value, even when you're not charting multiple series. Their data set can be in one of two forms:

• A single series setup, where the chart is structured on a 2-column data table, where the first column (column 0) contains the values to be plotted on the x-axis, and the second column (column 1) contains the values to be plotted on the y-axis.
• A multiple series setup, where the chart is structured on a data table that contains 3 columns. The first column (column 0) contains the series names, and the next two columns contain the values to be plotted on the x- and y-axes, respectively.

To generate a scatter chart you need to graph events directly with a search like:

This search finds all of the packets received from various client IP addresses and then orders them according to the number of bytes in each packet.

• Note that the search removes all fields with a leading underscore, such as the _time field.
• The second fields command isolates the two fields that you want for the x- and y-axis of the chart, respectively. The y-axis value should be numerical for best results. (So in this case, the x-axis is clientip while the y-axis is bytes.)

Note: To create a scatter plot chart with a search like this, you need to enter the reporting commands directly into the Report Builder by clicking Define report data using search language in the Report Builder. You can run this report from the search bar, but when you open up Report Builder, it adds a timechart command that you should remove before formatting the report.

More complex scatter charts can be set up in dashboards using Splunk's view XML. For more information see the Custom charting configuration reference chapter in the Developer manual.

Gauges

A gauge is a visualization of a search that returns a single numerical field value. It shows where this value exists within a range defined in the search language using the gauge command. A simple example is a search that returns a count of the number of events matching a set of search criteria that come in within a specific time period, or a real-time window, if you are using a real-time search. If you base a gauge on a real-time search, the chart's range marker will appear to fluctuate as the value displayed within the real-time search window changes over time.

• Was this topic useful?
• Post a comment