Splunk® Enterprise

Search Manual

Download manual as PDF

Splunk Enterprise version 5.0 reached its End of Life on December 1, 2017. Please see the migration information.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Create charts that are not (necessarily) time-based

Use the chart reporting command to create charts that can display any series of data. Unlike the timechart command, charts created with the chart command use an arbitrary field as the x-axis. You use the over keyword to determine what field takes the x-axis.

Note: The over keyword is specific to the chart command. You won't use it with timechart, for example, because the _time default field is already being used as the x-axis.

Example 1: Use web access data to show you the average count of unique visitors over each weekday.

index=sampledata sourcetype=access* | chart avg(clientip) over date_wday

One of the options you have is to split the data by another field, meaning that each distinct value of the "split by" field is a separate series in the chart. If your search includes a "split by" clause, place the over clause before the "split by" clause.

The following report generates a chart showing the sum of kilobytes processed by each clientip within a given timeframe, split by host. The finished chart shows the kb value taking the y-axis while clientip takes the x-axis. The delay value is broken out by host. After you run this search, format the report as a stacked bar chart.

index=sampledata sourcetype=access* | chart sum(kb) over clientip by host

Example 2: Create a stacked bar chart that splits out the http and https requests hitting your servers.

To do this, first create ssl_type, a search-time field extraction that contains the inbound port number or the incoming URL request, assuming that it is logged. The finished search would look like this:

sourcetype=whatever | chart count over ssl_type

After you run the search, format the results as a stacked bar chart.

PREVIOUS
Create time-based charts
  NEXT
Visualize field value highs and lows

This documentation applies to the following versions of Splunk® Enterprise: 5.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.0.6, 5.0.7, 5.0.8, 5.0.9, 5.0.10, 5.0.11, 5.0.12, 5.0.13, 5.0.14, 5.0.15, 5.0.16, 5.0.17, 5.0.18


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters