Horizon Chart

Horizon Chart

Download manual as PDF

Download topic as PDF

Create a horizon chart query

To generate a horizon chart, write a query that returns events in the correct data format.

Query syntax

To generate a horizon chart, use this query syntax.

... | timechart <stats_function> by <resource_field>


Query components

timechart
Generates the _time field indicating the start time for the behavior you are tracking.
<stats_function>
Use a <stats_function> to aggregate the metric you are tracking by resource.
<resource_field>
Indicates resources in the set you are monitoring.


Search result data formatting

A horizon chart query returns results in a table with multiple columns. The first column must have _time field values. Additional columns represent resources in the set you are monitoring.

Check the Statistics tab after running a query to make sure that the results table includes the correct columns in the required order.

Results table columns

First Second Additional columns
_time (Required) Resource Additional resources


Query examples

Aggregating by resource over time

This query tracks recent earthquake activity by location.

source="earthquakes.csv" | timechart count by Region

This query generates a results table with columns for the _time field and each region.

Custom viz horizon results table.png


Additional data formatting options

Here is a more complex example. This query tracks host activity by measuring byte transfers across a group of servers.

| inputlookup firewall_data.csv 
| eval _time = timestamp 
| eval bytes_out = -bytes_out                                         
| timechart span=10s sum(bytes_in) sum(bytes_out) by server_name      
| table _time *sv111 *sv18 *sv19 *sv2 *sv241 *sv248 *sv254 *sv8       

The query includes the following optional data formatting.

  • eval bytes_out = -bytes_out
Inverts the bytes_out to compare incoming and outgoing traffic more easily.
  • timechart span=10s ...
Summarizes traffic in ten second spans.
  • ... sum(bytes_in) sum(bytes_out) by server_name
Aggregates the incoming and outgoing series so that they are easier to compare.
PREVIOUS
Horizon chart installation
  NEXT
Horizon chart components

This documentation applies to the following versions of Horizon Chart: 1.0.0, 1.1.0, 1.2.0, 1.3.0


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters