Create charts that are not (necessarily) time-based

This topic discusses using the transforming command, chart, to create visualizations that are not time-based.

The chart command

The chart command returns your results in a data structure that supports visualization of your data series as a chart such as a column, line, area, and pie chart.

Unlike the timechart command, which uses the _time default field as the x-axis, charts created with the chart command use an arbitrary field as the x-axis. With the chart command, you use the over keyword to determine what field takes the x-axis.


Example 1: Use web access data to show you the average count of unique visitors over each weekday.

sourcetype=access_* | chart avg(clientip) over date_wday

One of the options you have is to split the data by another field, meaning that each distinct value of the "split by" field is a separate series in the chart. If your search includes a "split by" clause, place the over clause before the "split by" clause.

The following report generates a chart showing the sum of kilobytes processed by each clientip within a given timeframe, split by host. The finished chart shows the kb value taking the y-axis while clientip takes the x-axis. The delay value is broken out by host. After you run this search, format the report as a stacked bar chart.

sourcetype=access_* | chart sum(kb) over clientip by host

Example 2: Create a stacked bar chart that splits out the http and https requests hitting your servers.

To do this, first create ssl_type, a search-time field extraction that contains the inbound port number or the incoming URL request, assuming that it is logged. The finished search would look like this:

sourcetype=access_* | chart count over ssl_type

After you run the search, format the results as a stacked bar chart.

Following up... to get the unique vistors count by day of week... if we assume the query may be run on periods greater than 1 week, I found I first had to get the stats for unique dates prior to taking the average. Here's the complete query:

sourcetype=access_* | eval fulldate=date_year. "-" . date_month . "-" . date_mday | stats dc(clientip) AS Date_Count by fulldate, date_wday | chart eval(round(avg(Date_Count),0)) AS Average_Daily_Count over date_wday | rename date_wday AS Day

Perhaps there's a simpler way.

September 20, 2016

The first example uses the function "avg(clientip)". Since clientip is non-numeric -- it's a IP address -- taking the average produces a null result. From the context, I believe you want dc(clientip), giving the count of distinct IP addresses.

September 20, 2016

