Create charts that are not (necessarily) time-based
The chart command
timechart command, which uses the
_time default field as the x-axis, charts created with the
chart command use an arbitrary field as the x-axis. With the chart command, you use the
over keyword to determine what field takes the x-axis.
Example 1: Use web access data to show you the average count of unique visitors over each weekday.
sourcetype=access_* | chart avg(clientip) over date_wday
One of the options you have is to split the data by another field, meaning that each distinct value of the "split by" field is a separate series in the chart. If your search includes a "split by" clause, place the
over clause before the "split by" clause.
The following report generates a chart showing the sum of kilobytes processed by each
clientip within a given timeframe, split by
host. The finished chart shows the
kb value taking the y-axis while
clientip takes the x-axis. The delay value is broken out by host. After you run this search, format the report as a stacked bar chart.
sourcetype=access_* | chart sum(kb) over clientip by host
Example 2: Create a stacked bar chart that splits out the http and https requests hitting your servers.
To do this, first create
ssl_type, a search-time field extraction that contains the inbound port number or the incoming URL request, assuming that it is logged. The finished search would look like this:
sourcetype=access_* | chart count over ssl_type
After you run the search, format the results as a stacked bar chart.
Create time-based charts
Visualize field value highs and lows
This documentation applies to the following versions of Splunk® Enterprise: 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.2.13, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.6.0, 6.6.1, 6.6.2, 6.6.3