Create charts that are not (necessarily) time-based
Use the chart reporting command to create charts that can display any series of data. Unlike the
timechart command, charts created with the
chart command use an arbitrary field as the x-axis. You use the
over keyword to determine what field takes the x-axis.
over keyword is specific to the
chart command. You won't use it with
timechart, for example, because the
_time default field is already being used as the x-axis.
Example 1: Use web access data to show you the average count of unique visitors over each weekday.
index=sampledata sourcetype=access* | chart avg(clientip) over date_wday
One of the options you have is to split the data by another field, meaning that each distinct value of the "split by" field is a separate series in the chart. If your search includes a "split by" clause, place the
over clause before the "split by" clause.
The following report generates a chart showing the sum of kilobytes processed by each
clientip within a given timeframe, split by
host. The finished chart shows the
kb value taking the y-axis while
clientip takes the x-axis. The delay value is broken out by host. After you run this search, format the report as a stacked bar chart.
index=sampledata sourcetype=access* | chart sum(kb) over clientip by host
Example 2: Create a stacked bar chart that splits out the http and https requests hitting your servers.
To do this, first create
ssl_type, a search-time field extraction that contains the inbound port number or the incoming URL request, assuming that it is logged. The finished search would look like this:
sourcetype=whatever | chart count over ssl_type
After you run the search, format the results as a stacked bar chart.
Create time-based charts
Visualize field value highs and lows
This documentation applies to the following versions of Splunk® Enterprise: 5.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.0.6, 5.0.7, 5.0.8, 5.0.9, 5.0.10, 5.0.11, 5.0.12, 5.0.13, 5.0.14, 5.0.15, 5.0.16, 5.0.17, 5.0.18