Splunk® Enterprise

Search Manual

Download manual as PDF

Download topic as PDF

Create charts that are not (necessarily) time-based

This topic discusses using the transforming command, chart, to create visualizations that are not time-based.

The chart command

The chart command returns your results in a data structure that supports visualization of your data series as a chart such as a column, line, area, and pie chart.

Unlike the timechart command, which uses the _time default field as the x-axis, charts created with the chart command use an arbitrary field as the x-axis. With the chart command, you use the over keyword to determine what field takes the x-axis.


Example 1: Use web access data to show you the average count of unique visitors over each weekday.

sourcetype=access_* | chart avg(clientip) over date_wday

One of the options you have is to split the data by another field, meaning that each distinct value of the "split by" field is a separate series in the chart. If your search includes a "split by" clause, place the over clause before the "split by" clause.

The following report generates a chart showing the sum of kilobytes processed by each clientip within a given timeframe, split by host. The finished chart shows the kb value taking the y-axis while clientip takes the x-axis. The delay value is broken out by host. After you run this search, format the report as a stacked bar chart.

sourcetype=access_* | chart sum(kb) over clientip by host

Example 2: Create a stacked bar chart that splits out the http and https requests hitting your servers.

To do this, first create ssl_type, a search-time field extraction that contains the inbound port number or the incoming URL request, assuming that it is logged. The finished search would look like this:

sourcetype=access_* | chart count over ssl_type

After you run the search, format the results as a stacked bar chart.

Create time-based charts
Visualize field value highs and lows

This documentation applies to the following versions of Splunk® Enterprise: 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.2.13, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.6.0, 6.6.1, 6.6.2, 6.6.3


Following up... to get the unique vistors count by day of week... if we assume the query may be run on periods greater than 1 week, I found I first had to get the stats for unique dates prior to taking the average. Here's the complete query:

sourcetype=access_* | eval fulldate=date_year. "-" . date_month . "-" . date_mday | stats dc(clientip) AS Date_Count by fulldate, date_wday | chart eval(round(avg(Date_Count),0)) AS Average_Daily_Count over date_wday | rename date_wday AS Day

Perhaps there's a simpler way.

September 20, 2016

The first example uses the function "avg(clientip)". Since clientip is non-numeric -- it's a IP address -- taking the average produces a null result. From the context, I believe you want dc(clientip), giving the count of distinct IP addresses.

September 20, 2016

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters