Sankey Diagram

Sankey Diagram

Create a Sankey diagram query

To generate a Sankey diagram, write a query that returns events in the correct data format.

Query syntax

To generate a Sankey diagram, use this query syntax.

... | stats <stats_function>(<size_field>) [<stats_function>(<color_field>)] by <source_category_field> <target_category_field>

Query components

A Sankey diagram query includes the following components.


  • Required
  • This field determines link width between source and target categories. Use a stats function to aggregate values in this field.


  • Optional
  • This field determines link color. Sankey diagrams that include a color field are called "double measure".


  • Required
  • Metric flow starts in this field. This is sometimes described as the "from" category.


  • Required
  • Metric flow ends in this field. This is sometimes described as the "to" category.

Search result data formatting

The Sankey diagram query syntax returns results in a table with multiple columns. Columns represent data for source, target, connection size, and connection color.

Check the Statistics tab after running a query to make sure that the results table includes the correct columns in the required order.

Results table columns

First Second Third Fourth
Source Target Link size Link color

Example query

Here is part of a Sankey diagram query tracking byte transfer sums between source and target hosts.

... | stats sum(bytes) count by source target

The query generates a results table with columns for the source, target, sum(bytes), and count fields.

Custom viz sankey table.png

Last modified on 12 August, 2016
Sankey diagram installation   Visualization components

This documentation applies to the following versions of Sankey Diagram: 1.0.0, 1.1.0, 1.2.0, 1.3.0, 1.5.0, 1.6.0

Was this topic useful?

You must be logged into in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters