About transforming commands and searches
To create charts visualizations, your search must transform event data into statistical data tables. These statistical tables are required for charts and other kinds of data visualizations. This section discusses how to use transforming commands to transform event data.
This section describes the major categories of transforming commands and provides examples of how they can be used in a search.
The primary transforming commands are:
chart: creates charts that can display any series of data that you want to plot. You can decide what field is tracked on the x-axis of the chart.
timechart: used to create "trend over time" reports, which means that
_timeis always the x-axis.
top: generates charts that display the most common values of a field.
rare: creates charts that display the least common values of a field.
stats: generates a report that display summary statistics.
See Transforming commands in the Search Reference to learn more.
Note: As you will see in the following examples, you always place your transforming commands after your search commands, linking them with a pipe operator ( | ).
stats commands are all designed to work with statistical functions. The list of available statistical functions includes:
- count, distinct count
- mean, median, mode
- min, max, range, percentiles
- standard deviation, variance
- first occurrence, last occurrence
For more information about statistical functions, see Statistical and charting functions in the Search Reference. Some statistical functions only work with the
Note: All searches with transforming commands generate specific data structures. The different chart types require these data structures to be set up in particular ways. For example, not all searches that enable you to generate bar, column, line, and area charts can be used to generate pie charts. See Data structure requirements for visualizations in the Dashboard and Visualizations manual to learn more.
You can use real-time search to calculate metrics in real time on large incoming data flows without the use of summary indexing. However, because you are reporting on a live and continuous stream of data, the timeline will update as the events stream in and you can only view the table or chart in preview mode. Also, some search commands will be more applicable (for example, streamstats and rtorder) for use in real-time.
Change the format of subsearch results
Create time-based charts
This documentation applies to the following versions of Splunk® Enterprise: 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.2.13, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.6.0, 6.6.1, 6.6.2, 6.6.3