Splunk® Enterprise

Dashboards and Visualizations

Download manual as PDF

Splunk Enterprise version 5.0 reached its End of Life on December 1, 2017. Please see the migration information.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Visualization reference

Splunk provides a number of options for search result visualization. Along with the straightforward "event listing" visualization, you can see your event data presented in the form of tables and charts (such as column, line, area, and pie charts). And if you're working with a search that results in a single, discrete, numerical value, you can visualize it with a variety of gauge and single value displays.

In this topic, we provide examples of Splunk's visualization options. But we'll begin by pointing out the different ways that you can access Splunk's visualization functionality.

It's important to note that your visualization options can be limited if the search you're using doesn't return data in a structure that they support. For example, you need a reporting command (such as stats, timechart, or top) to return search results in a data structure that supports both tables and chart visualizations (like column, bar, line, area, and pie charts). For more information, see "Data structure requirements for visualizations," in this manual.

For more information about building searches with reporting commands, see "About reporting commands" in the Search Manual.

Accessing Splunk's visualization definition features

It's easy to access Splunk's visualization definition functionality through the Splunk Web UI. You have four options; the option you choose depends on your needs at that time and the use to which you'd like to put the visualization, if any. You can:

  • Change how Splunk displays search results in the timeline view of the Search app. After you run a search in the Search app, you can change how Splunk displays the results with the visualization icons that appear at the top of the results section. You have three visualization types to choose from: events list, table, and results chart (which includes chart types such as column, line, and pie charts, as well as gauges and single value visualizations).
Search app viz options.png
Keep in mind that the table and chart options may be unavailable if the search is not returning data in a structure that they support (see the note about data structures, above).
  • Base a dashboard panel visualization on the search. When you base a new dashboard panel on a search, you'll choose the visualization that best represents the data returned by the search--it can display as an event listing, a table, a chart (such as a column, line, or pie chart), a gauge, or a single value visualization. You'll then use the Visualization Editor to fine-tune the way the panel visualization displays. After you run a search that you'd like to base a dashboard panel upon, click Create and select Dashboard panel... to access the Create Dashboard Panel dialog.
4.3 show create dashboard panel menu.png
For more information about dashboard creation and editing, see the "Create and edit simple dashboards" and "Edit dashboard panel visualizations" topics in this manual. Note: This method of visualization design may give you more charting options than the others in this list.
  • Use the Report Builder to design a visualization-friendly search and package its results as a report. This option is especially useful if you are unfamiliar with the reporting commands necessary to design a search that returns table- and chart-friendly results. The Report Builder can guide you through the process of creating this kind of search. After you run a search that you'd like to base a report on, click Create and select Report... to access the Report Builder.
4.3 show create report menu.png
For more information about building reports with the Report Builder, see "Define reports with the Report Builder," in this manual.
  • Use the Advanced Charting view to design a visualization quickly. Use it if you are confident in your ability to create searches with reporting commands, know exactly what you want to report on, and just want to get going quickly. Get to it by selecting Advanced Charting from the Dashboards & Views menu.
4.3 advanced charting nav.png
For more information about this view, see "Use report-rich dashboards and views," in this manual.

Events

Events visualizations are essentially raw lists of events.

You can get events visualizations from any search that does not include a transform operation, such as a search that uses reporting commands like stats, chart, timechart, top, or rare. For example, if you just search for a set of terms and field values, you'll end up with a list of events:

error OR failed OR severe OR ( sourcetype=access_* ( 404 OR 500 OR 503 ) )

But if you add a reporting command to that search, you instead get statistical results that can be presented either as a table or a chart, but not an event list:

error OR failed OR severe OR ( sourcetype=access_* ( 404 OR 500 OR 503 ) ) | stats count by host

The following events visualization lists indexing errors over all time. It is based on this search:

index=_internal (ERROR OR FATAL) AND (STMgr OR HotDBManager OR databasePartitionPolicy OR MPool OR TPool OR timeinvertedIndex OR StreamGroup OR IndexableValue )

You can find this dashboard panel in the "Index health" status dashboard; it is delivered with Splunk.

4.3 event list example.png

With event listing visualizations, you can:

  • determine the number of events listed.
  • determine whether numbers appear to the left of each event.
  • have event text wrap to fit within the page (or dashboard panel).

Tables

You can pick table visualizations from just about any search, but the most interesting tables are generated by searches that include transform operations, such as a search that uses reporting commands like stats, chart, timechart, top, or rare.

Here's an example of a table that MyFlowerShop, a hypothetical flower company, has designed to track price differences between its products and those of its hypothetical competitor, Flowers R Us. The actual search used is:

sourcetype=access_* | stats values(product_name) as product by price, flowersrus_price | eval difference = price - flowersrus_price | table product, difference

4.3 table viz example.png

Note that in this example table, the cells in the difference column are shaded. This is because we have chosen a Data overlay of heat map for the table, which means that the high values are shaded red, while the low values are shaded blue. In this example, products that have a higher price at MyFlowerShop than they do at their competitor are shaded red, while products that are cheaper at MyFlowerShop are shaded blue.

For tables, you can:

  • set the number of table rows that are displayed.
  • optionally display row numbers.
  • add data overlays that provide additional visual information, such as heat maps or high/low value indicators.

If you are formatting tables in dashboards with the Visualization Editor you can additionally determine how drilldown works for them. You can enable drilldown by row or by cell, or disable drilldown for the table entirely. For more information about drilldown functionality, see "Understand basic table and chart drilldown actions", in this manual.

Sparklines in tables

You can arrange to have your tables display sparkline visualizations. Sparklines can increase the usefulness and overall information density of tables in reports and dashboards; they show hidden patterns in your data that might otherwise be hard to identify in your table results.

To use sparklines, your underlying search has to use the stats or chart reporting command. You add the sparklines function of those commands to tell Splunk to add a sparkline column to this table. For details on how this works, see "Add Sparklines to your search results" in the Search Manual.

The following sparkline example runs off of this search, which looks at USGS earthquake data (in this case a CSV file that presents all magnitude 2.5+ quakes recorded over a given 7-day period, worldwide):

source=eqs7day-M2.5.csv | stats sparkline(avg(Magnitude),6h) as magnitude_trend, count, avg(Magnitude) by Region | sort count

The search displays the top 10 regions according to the total count of quakes experienced per region over that period. The sparkline in the resulting table illustrates the trend in earthquake magnitude over the course of that week for each of the top earthquake regions:

Spk magTrend example.png

This example also demonstrates how you can mouse over the sparkline to get a read of the values at specific points along its length.

Charts

Splunk provides a variety of chart visualizations, such as column, line, area, scatter, and pie charts. These visualizations require transforming searches (searches that use reporting commands) whose results involve one or more series.

A series is a sequence of related data points that can be plotted on a chart. For example, each line plotted on a line chart represents an individual series. You can design transforming searches that produce a single series, or you can set them up so the results provide data for multiple series.

It may help to think of the tables that can be generated by transforming searches. Every column in the table after the first one represents a different series. A "single series" search would produce a table with only two columns, while a "multiple series" search would produce a table with three or more columns.

All of the chart visualizations can handle single-series searches, though you'll find that bar, column, line, and pie chart visualizations are usually best for such searches. In fact, pie charts can only display data from single series searches.

On the other hand, if your search produces multiple series, you'll want to go with a bar, column, line, area, or scatter chart visualization.

For a detailed discussion of the data structure requirements for the different kinds of chart visualizations, see the topic "Data structure requirements for visualizations," in this manual.

Column and bar charts

Use a column chart or bar chart to compare the frequency of values of fields in your data. In a column chart, the x-axis values are typically field values (or time, especially if your search uses the timechart reporting command) and the y-axis can be any other field value, count of values, or statistical calculation of a field value. Bar charts are exactly the same, except that the x-axis and y-axis values are reversed. (See the "Visualization data structure requirements" topic, in this manual, for more information.)

The following bar chart presents the results of this search, which uses internal Splunk metrics. It finds the total sum of CPU_seconds by processor in the last 15 minutes, and then arranges the processors with the top ten sums in descending order:

index=_internal "group=pipeline" | stats sum(cpu_seconds) as totalCPUSeconds by processor | sort 10 totalCPUSeconds desc

Charts - bar.png

Note that in this example, we've also demonstrated how you can roll over a single bar or column to get detail information about it.

When you define the properties of your bar and column charts, you can:

  • set the chart titles, as well as the titles of the x-axis and y-axis.
  • set the minimum y-axis values for the y-axis (for example, if all the y-axis values of your search are above 100 it may improve clarity to have the chart start at 100).
  • set the unit scale to Log (logarithmic) to improve clarity of charts where you have a mix of very small and very large y-axis values. See "Edit dashboard panel visualizations" in this manual for more information on this setting.
  • determine whether charts are stacked, 100% stacked, and unstacked. Bar and column charts are always unstacked by default. See the following subsection for details on stacking bar and column charts.

If you are formatting bar or column charts in dashboards with the Visualization Editor you can additionally:

  • set the major unit for the y-axis (for example, you can arrange to have tick marks appear in units of 10, or 20, or 45...whatever works best).
  • determine the position of the chart legend and the manner in which the legend labels are truncated.
  • turn their drilldown functionality on or off. For more information about drilldown, see "Understand basic table and chart drilldown actions", in this manual.

Stacked column and bar charts

When your base search involves more than one data series, you can use stacked column charts and stacked bar charts to compare the frequency of field values in your data.

In an unstacked column chart, the columns for different series are placed alongside each other. This may be fine if your chart is relatively simple--total counts of sales by month for two or three items in a store over the course of a year, for example--but when the series count increases it can make for a cluttered, confusing chart.

In a column chart set to a Stack mode of Stacked, all of the series columns for a single datapoint (such as a specific month in the chart described in the preceding paragraph) are stacked to become segments of a single column (one column per month, to reference that example again). The total value of the column is the sum of the segments.

Note: You use a stacked column or bar chart to highlight the relative weight (importance) of the different types of data that make up a specific dataset.

The following chart illustrates the customer views of pages in the website of MyFlowerShop, a hypothetical web-based flower store, broken out by product category over a 7 day period:

Charts - stacked column.png

Here's the search that built that stacked chart:

sourcetype=access_* method=GET | timechart count by categoryId | fields _time BOUQUETS FLOWERS GIFTS SURPRISE TEDDY

Note the usage of the fields command; it ensures that the chart only displays counts of events with a product category ID; events without one (categorized as null by Splunk) are excluded.

The third Stack mode option, Stacked 100%, enables you to compare data distributions within a column or bar by making it fit to 100% of the length or width of the chart and then presenting its segments in terms of their proportion of the total "100%" of the column or bar. Stacked 100% can help you to better see data distributions between segments in a column or bar chart that contains a mix of very small and very large stacks when Stack mode is just set to Stacked.

Line and area charts

Line and area charts are commonly used to show data trends over time, though the x-axis can be set to any field value. If your chart includes more than one series, each series will be represented by a differently colored line or area.

This chart is based on a simple search that reports on internal Splunk metrics:

index=_internal | timechart count by sourcetype

Charts - line.png

The shaded areas in area charts can help to emphasize quantities. The following area chart is derived from this search, which also makes use of internal Splunk metrics (you can find a version of this dashboard panel in the "Search activity overview" dashboard which is delivered with Splunk):

index=_internal source=*metrics.log group=search_concurrency "system total" NOT user=* | timechart max(active_hist_searches) as "Historical Searches" max(active_realtime_searches) as "Real-time Searches"

Charts - area.png

When you define the properties of your line and area charts, you can:

  • set the chart titles, as well as the titles of the x-axis and y-axis.
  • determine what Splunk does with missing (null) y-axis values. You can have the system leave gaps for null datapoints, have connect to zero datapoints, or just connect to the next positive datapoint. If you choose to leave gaps, Splunk will display markers for datapoints that are disconnected because they are not adjacent to other positive datapoints.
  • set the minimum y-axis values (for example, if all the y-axis values of your search are above 100 it may improve clarity to have the chart start at 100).
  • set the unit scale to Log (logarithmic) to improve clarity of charts where you have a mix of very small and very large y-axis values. See "Edit dashboard panel visualizations" in this manual for more information on this setting.
  • determine whether charts are stacked, 100% stacked, and unstacked. Bar and column charts are always unstacked by default. See the following subsection for details on stacking bar and column charts.

If you are formatting line or area charts in dashboards with the Visualization Editor you can additionally:

  • set the major unit for the y-axis (for example, you can arrange to have tick marks appear in units of 10, or 20, or 45...whatever works best).
  • determine the position of the chart legend and the manner in which the legend labels are truncated.
  • turn their drilldown functionality on or off. For more information about drilldown, see "Understand basic table and chart drilldown actions", in this manual.

Stacked line and area charts

Stacked line and area charts operate along the same principles of stacked column and row charts (see above). Stacked line and area charts can help readers when several series are involved; it makes it easier to see how each data series relates to the entire set of data as a whole.

The following chart is another example of a chart that presents information from internal Splunk metrics. The search used to create it is:

index=_internal per_sourcetype_thruput | timechart sum(kb) by series useother=f

Charts - stacked area.png

Pie chart

Use a pie chart to show the relationship of parts of your data to the entire set of data as a whole. The size of a slice in a pie graph is determined by the size of a value of part of your data as a percentage of the total of all values.

The following pie chart presents the views by referrer domain for a hypothetical online store for the previous day. Note that you can get metrics for individual pie chart wedges by mousing over them.

Charts - Pie.png

When you define the properties of pie charts you can set the chart title. If you are formatting pie charts in dashboards with the Visualization Editor you can additionally:

Scatter chart

Use a scatter chart ( or "scatter plot") to show trends in the relationships between discrete values of your data. Generally, a scatter plot shows discrete values that do not occur at regular intervals or belong to a series. This is different from a line graph, which usually plots a regular series of points.

Here's an example of a search that can be used to generate a scatter chart. It looks at USGS earthquake data (in this case a CSV file that presents all magnitude 2.5+ quakes recorded over a given 7-day period, worldwide), pulls out just the Californian quakes, plots out the quakes by magnitude and quake depth, and then color-codes them by region. As you can see the majority of quakes recorded during this period were fairly shallow--10 or fewer meters in depth, with the exception of one quake that was around 27 meters deep. None of the quakes exceeded a magnitude of 4.0.

Charts - Scatter.png

To generate the chart for this example, we've used the table command, followed by three fields. The first field is what appears in the legend (Region). The second field is the x-axis value (Magnitude), which leaves the third field (Depth) to be the y-axis value. Note that when you use table the latter two fields must be numeric in nature.

source=eqs7day-M2.5.csv Region=*California | table Region Magnitude Depth | sort Region

For more information about the data structures that scatter charts require, see the " Visualization data structure requirements" topic, in this manual.

When you define the properties of your scatter charts, you can:

  • set the chart titles, as well as the titles of the x-axis and y-axis.
  • set the minimum y-axis values for the y-axis (for example, if all the y-axis values of your search are above 100 it may improve clarity to have the chart start at 100).
  • set the unit scale to Log (logarithmic) to improve clarity of charts where you have a mix of very small and very large y-axis values. See "Edit dashboard panel visualizations" in this manual for more information on this setting.

If you are formatting bar or column charts in dashboards with the Visualization Editor you can additionally:

  • set the major unit for the y-axis (for example, you can arrange to have tick marks appear in units of 10, or 20, or 45...whatever works best).
  • determine the position of the chart legend and the manner in which the legend labels are truncated.
  • turn their drilldown functionality on or off. For more information about drilldown, see "Understand basic table and chart drilldown actions", in this manual.

Single-value visualizations

Single value displays and gauges are designed to interpret the results of a transforming search that returns a single value whenever it is run, such as a search that returns the total count of events fitting a specific set of search criteria over a specific time range (or within a real-time window, in the case of real-time searches).

For example, this search presents the total number of Splunkd errors over the past hour:

index=_internal source="*splunkd.log" log_level="error" | stats count as errors

There are numerous ways to make searches arrive at single values, such as combining the top command with head=1.

For more information on the data structure requirements of single value visualizations, see the "Data structure requirement for visualizations" topic in this manual.

Note: When you design dashboard visualizations, you'll see that you can select single value visualizations even when you're working with a search that doesn't return a single value. In the case of dashboards, when a single value visualization is based on a transforming search that returns multiple values, it works with the value in the first cell of the resulting table. It doesn't matter whether the search involves a single series or multiple series. The other visualization setup options (the Search app timeline view, the Report Builder, and the Advanced Charting view) do not allow this when searches that return more than one value are involved.

Single value dashboard display

The single value display is available for dashboards only. When you base it on a search that returns a single numerical value, it displays the current result for that search. If you base the visualization on a real-time search that returns a single value, the number displayed changes as the search interprets incoming data.

5.0-viz-singleval display ex.jpg

You can arrange to have a single value display visualization change color depending on where the value it's displaying fits within a defined range, but to do so you'll have to include a special search command in the underlying search.

Design a search that returns a single value and which uses the rangemap command to define the range. By default, Splunk associates the color green with the word low, the color yellow with elevated, and red with severe. The example single value display panel above is based on this search:

index=_internal source="*splunkd.log" log_level="error" | stats count as errors | rangemap field=errors low=0-3 elevated=4-20 default=severe

Create a dashboard panel based on the search by clicking Create... and selecting Dashboard panel. This opens the Create Dashboard Panel dialog box, where you can select Single value as the visualization type for the search and determine whether the panel should be added to a new or preexisting dashboard. For more information about creating dashboards and panels, see "Create and edit simple dashboards," in this manual.

When you go to your dashboard, the single value panel should now display either green, yellow, or red, depending on the number presented and the range that you set up for it in the search string.

For more information about working with the XML code behind single value display dashboard panels, see "Add a single value and gauges" in this manual.

Single value dashboard display formatting options

When you define a single value dashboard display with the Visualization Editor, you can:

  • Provide a panel title.
  • Set up text that goes before and after the displayed number. For example:

5.0-singleval with before-after text.png

Gauges

Splunk provides three types of gauge visualizations: radial, filler, and marker.

Gauge visualizations map a single numerical value against a range of colors that may have particular business meaning or logic. As the value changes over time, the gauge marker changes position within this range. Gauges are designed to provide an especially dynamic visualization for real-time searches, where the value returned fluctuates as events are returned, causing the gauge marker to visibly bounce back and forth within the range as you watch it.

The various gauge examples below have the same base search. It is:

index=_internal source="*splunkd.log" log_level="error" | stats count as errors

Radial gauge

The radial gauge type looks essentially like a speedometer or pressure valve gauge. It has an arced range scale and a rotating needle. The current value of the needle is displayed at the bottom of the gauge (in the case of the example below, the value is 19). If the value falls below or above the specified minimum or maximum range, the needle "flutters" at the upper (or lower) boundary, as if it is straining to move past the limits of the range.

Here's an example of the "shiny" version of the radial gauge:

Radial gauge example-1.png

And here's what the "minimal" version of the radial gauge looks like:

4.3 radial gauge minimal-1.png

Filler gauge

The filler gauge is similar in appearance to a thermometer, with a liquid-like filler indicator that changes color as it rises and passes gauge range boundaries. So imagine you have set up three ranges. The lower colored green , yellow, and red, the liquid will appear to be green when it is near the bottom, yellow when it reaches the midpoint boundary, and red when it gets to the top. The current value of the gauge fill is displayed at the left side of the filler indicator.

Filler gauge - unfull example.png

The filler gauge is oriented vertically by default but can be oriented horizontally through custom charting configuration.

Marker gauge

The marker gauge is a linear version of the filler gauge. It is already "filled"; a gauge marker rests at the value returned by the search. If the gauge is displaying the results of a real-time search, the marker can appear to slide back and forth across the range as the returned value fluctuates over time. If the returned value falls outside of the upper or lower ranges of the marker gauge, the marker appears to vibrate at the upper (or lower boundary), as if it is straining to move past the limits of the range.

Marker gauge-1.png

The marker gauge is oriented vertically by default but can be oriented horizontally through custom charting configuration.

Marker gauges have display issues with numbers exceeding 3 digits in length. To manage this, you can set up a search that divides a large number by a factor that reduces it to a smaller number. For example, if the value returned is typically in the tens of thousands, set your search up so the result is divided by 1000. Then a result of 19,100 becomes 19.1.

You can also deal with large numbers by setting the chart configuration options so the range is expressed as a percentage. For more about that, see the next subsection.

Formatting gauge visualizations via Splunk Web

All of Splunk's UI-based visualization definition options enable you to define how your gauges appear. You have the most formatting options when you use the dashboard Visualization Editor to set up a gauge in a dashboard panel. The Visualization Editor enables you to:

  • Provide a title for the panel.
  • Define the size and number of the ranges that make up the overall gauge. For example, you could have a gauge that starts at 0, ends at 100, and is made up of four ranges that span 0-25, 26-50, 51-75, and 76-100. Or you could have a gauge that starts at 1000, ends at 3000, and is made up of several smaller ranges.
  • Set the colors for each range. By default the first three ranges are green, yellow, and red, but you can change them to whatever you want, and add or subtract ranges as you see fit.
  • Determine whether the gauge style is shiny or minimal. For example, the shiny version of the radial gauge is designed to look something like a real radial machine gauge, with a metallic-looking dial and black background. The minimal radial gauge, on the other hand, is a stripped-down, "flat" version of the radial gauge design.

Note: When you are formatting gauge visualizations through the Visualization Editor, you can have it define color ranges automatically (by using values defined in the search string in conjunction with the gauge command--see below) or manually (by using settings defined in the Visualization Editor).

For more information about using the Visualization Editor to format dashboard panel visualizations, see the topic "Edit dashboard panel visualizations," in this manual.

Splunk's other visualization definition options--the Report Builder, the Advanced Charting view, and the results area of the Search App only provide the ability to give titles to gauge visualizations. By default they'll create a gauge with three ranges: 1-30, 31-70, and 71-100. These ranges are colored green, yellow, and red, respectively. To set up different gauge ranges with these visualization definition options, you'll need to update the underlying search with the gauge search command, as defined in the following subtopic.

Setting gauge ranges with the gauge command

When you're using a visualization definition option other than the dashboard Visualization Editor, you'll need to use the gauge command to set custom ranges for a gauge visualization.

The gauge command only enables you to set the gauge ranges; Splunk assigns colors to each range automatically. With gauge, you indicate the field whose value will be tracked by the gauge. Then you add "range values" to the search string that indicate the beginning and end of the range as well as the relative sizes of the color bands within it.

For example, to set up a gauge that tracks a hitcount field value with the ranges 100-119, 120-139, 140-159, 160-179, and 180-200 you would add this to your search string:

...| gauge hitcount 100 120 140 160 180 200

Splunk chooses default colors for these ranges (the first three are always green, yellow, and red).

Note: If you do not include the gauge command in your search (or do use it but fail to include range values along with it), Splunk inserts default range values of 0 30 70 100 when it generates the gauge visualization.

Additional visualization options

Splunk offers visualization options that are unavailable via Splunk Web tools like the Report Builder and the Visualization Editor for dashboard panels. You can set these additional visualization options up in dashboard panels using Splunk's view XML and the custom charting configuration controls.

These additional visualization options include:

  • Bubble charts
  • Histograms
  • Range marker charts
  • Ratio bar charts
  • Value marker charts

You can use bubble charts to show trends and the relative importance of discrete values in your data. The size of a bubble indicates a value's relative importance. It represents a third dimension on top of the x-axis and y-axis values that plot the bubble's position on the chart. This dimension determines the bubble's size relative to the others in the chart.

Range marker charts and value marker charts are designed to work as overlays on top of bar, column, line, or area charts.

For more information about these chart types, the data structures required to support them, and their view XML properties, see the Custom charting configuration reference chapter in the Developer Manual.

PREVIOUS
About this manual
  NEXT
Data structure requirements for visualizations

This documentation applies to the following versions of Splunk® Enterprise: 5.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.0.6, 5.0.7, 5.0.8, 5.0.9, 5.0.10, 5.0.11, 5.0.12, 5.0.13, 5.0.14, 5.0.15, 5.0.16, 5.0.17, 5.0.18


Comments

was only able to get stacked graph using the report builder. Example above does not include the argument

Jalfrey
March 28, 2013

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters