Splunk® Enterprise

Dashboards and Visualizations

Download manual as PDF

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Visualization Reference

Splunk provides a number of options for search result visualization. Along with the straightforward "event listing" visualization, you can see event data presented in the form of tables and charts (such as column, line, area, and pie charts). For searches that return a single, discrete, numerical value, you can visualize it with a variety of gauge and single value displays.

This topic provides examples of Splunk visualizations.

Note: Visualization options can be limited if the search doesn't return data in a structure supported by the visualization. For example, you need a transforming command (such as stats, timechart, or top) to return search results in a data structure that supports both tables and chart visualizations (such as column, bar, line, area, and pie charts). For more information, see Data structure requirements for visualizations in this manual.

For more information about building searches with transforming commands, see About reporting commands in the Search Manual.

Accessing Splunk's visualization definition features

Splunk provides user interface tools to create and modify visualizations. You can access these tools from various places in Splunk Web.

  • Search
  • Dashboards
  • Dashboard visual editor
  • Pivot
  • Reports

You can also create and modify visualizations directly in simple XML code.

Visualizations from Splunk Search

You can modify how Splunk displays search results in the Search page. After running a search, select the Visualization tab, then select the type of visualization to display and specify formatting options for the selected visualization. The search must be a reporting search that returns results that can be formatted as a visualization.

See Edit visualizations for information on editing Splunk visualizations.

Dashboard panel visualizations

When you base a new dashboard panel on search results, you can choose the visualization that best represents the data returned by the search. You can then use the Visualization Editor to fine-tune the way the panel visualization displays.

To create a dashboard panel from search results, after you run the search click Save As > Dashboard Panel. For more information about creating and editing dashboards, see the About the Dashboard Editor and Edit visualizations.

Dashboard Editor

You can create and edit visualizations when editing dashboards using the Dashboard Editor, an interactive visual editor.

For more information, see About the Dashboard Editor.

Events visualizations

Events visualizations are essentially raw lists of events.

You can get events visualizations from any search that does not include a transform operation, such as a search that uses reporting commands like stats, chart, timechart, top, or rare. For example, if you just search for a set of terms and field values, you'll end up with a list of events:

error OR failed OR severe OR ( sourcetype=access_* ( 404 OR 500 OR 503 ) )

6 0 event list example.png


But if you add a transforming command to that search, you instead get statistical results that can be presented either as a table or a chart, but not an event list:

error OR failed OR severe OR ( sourcetype=access_* ( 404 OR 500 OR 503 ) ) | stats count by host

6 0 event list transform example.png


With event listing visualizations, you can:

  • Determine the number of events listed.
  • Determine whether numbers appear to the left of each event.
  • Have event text wrap to fit within the page (or dashboard panel).


Drilldown behavior for events visualizations
For data displayed as raw events or in a list, drilldown behavior depends on your mouse-over selection of a segment in the event listing. You can specify the type of selection as full, inner, or outer. See Types of event segmentation.

Depending on the drilldown option, you mouse over a major segment, contiguous minor segments, or a minor segment. After mousing over a selection, click to launch a detailed search.

  • Note: Event segmentation processing for events with long single lines of text can cause browser performance issues. Disable drilldowns before running a search on these events.

Tables

You can pick table visualizations from just about any search, but the most interesting tables are generated by searches that include transform operations, such as a search that uses reporting commands like stats, chart, timechart, top, or rare.

Here's an example of a table that MyFlowerShop, a hypothetical flower company, has designed to track price differences between its products and those of its hypothetical competitor, Flowers R Us. The actual search used is:

sourcetype=access_* | stats values(product_name) as product by price, flowersrus_price | eval difference = price - flowersrus_price | table product, difference

4.3 table viz example.png

Note that in this example table, the cells in the difference column are shaded. This is because we have chosen a Data overlay of heat map for the table, which means that the high values are shaded red, while the low values are shaded blue. In this example, products that have a higher price at MyFlowerShop than they do at their competitor are shaded red, while products that are cheaper at MyFlowerShop are shaded blue.

For tables, you can:

  • set the number of table rows that are displayed.
  • optionally display row numbers.
  • add data overlays that provide additional visual information, such as heat maps or high/low value indicators.

If you are formatting tables in dashboards with the Visualization Editor you can additionally determine how drilldown works for them. You can enable drilldown by row or by cell, or disable drilldown for the table entirely. For more information about drilldown functionality, see Understand basic table and chart drilldown actions in this manual.

Sparklines in tables

You can arrange to have your tables display sparkline visualizations. Sparklines can increase the usefulness and overall information density of tables in reports and dashboards; they show hidden patterns in your data that might otherwise be hard to identify in your table results.

To use sparklines, your underlying search has to use the stats or chart reporting command. You add the sparklines function of those commands to tell Splunk to add a sparkline column to this table. For details on how this works, see Add Sparklines to your search results in the Search Manual.


The following sparkline example runs off of this search, which looks at USGS earthquake data. You can download a current CSV file from the USGS Earthquake Feeds and add it as an input to Splunk, but the field names and format will be slightly different from the example shown here. In this case, the data presented all magnitude 2.5+ quakes recorded over a given 7-day period, worldwide:

source=usgs | stats sparkline(avg(Magnitude),6h) as magnitude_trend, count, avg(Magnitude) by Region | sort count

The search displays the top 10 regions according to the total count of quakes experienced per region over that period. The sparkline in the resulting table illustrates the trend in earthquake magnitude over the course of that week for each of the top earthquake regions:

Spk magTrend example.png

This example also demonstrates how you can mouse over the sparkline to get a read of the values at specific points along its length.

Charts

Splunk provides a variety of chart visualizations, such as column, line, area, scatter, and pie charts. These visualizations require transforming searches (searches that use reporting commands) whose results involve one or more series.

A series is a sequence of related data points that can be plotted on a chart. For example, each line plotted on a line chart represents an individual series. You can design transforming searches that produce a single series, or you can set them up so the results provide data for multiple series.

It may help to think of the tables that can be generated by transforming searches. Every column in the table after the first one represents a different series. A "single series" search would produce a table with only two columns, while a "multiple series" search would produce a table with three or more columns.

All of the chart visualizations can handle single-series searches, though you'll find that bar, column, line, and pie chart visualizations are usually best for such searches. In fact, pie charts can only display data from single series searches.

On the other hand, if your search produces multiple series, you'll want to go with a bar, column, line, area, or scatter chart visualization.

For a detailed discussion of the data structure requirements for the different kinds of chart visualizations, see the topic Data structure requirements for visualizations in this manual.

Column and bar charts

Use a column chart or bar chart to compare the frequency of values of fields in your data. In a column chart, the x-axis values are typically field values (or time, especially if your search uses the timechart reporting command) and the y-axis can be any other field value, count of values, or statistical calculation of a field value. Bar charts are exactly the same, except that the x-axis and y-axis values are reversed. (For more information, see the Data structure requirements for visualizations in this manual.)

The following bar chart presents the results of this search, which uses internal Splunk metrics. It finds the total sum of CPU_seconds by processor in the last 15 minutes, and then arranges the processors with the top ten sums in descending order:

index=_internal "group=pipeline" | stats sum(cpu_seconds) as totalCPUSeconds by processor | sort 10 totalCPUSeconds desc

Charts - bar.png

Note that in this example, we've also demonstrated how you can roll over a single bar or column to get detail information about it.

When you define the properties of your bar and column charts, you can:

  • set the chart titles, as well as the titles of the x-axis and y-axis.
  • set the minimum y-axis values for the y-axis (for example, if all the y-axis values of your search are above 100 it may improve clarity to have the chart start at 100).
  • set the unit scale to Log (logarithmic) to improve clarity of charts where you have a mix of very small and very large y-axis values. See Edit visualizations in this manual for more information on this setting.
  • determine whether charts are stacked, 100% stacked, and unstacked. Bar and column charts are always unstacked by default. See the following subsection for details on stacking bar and column charts.

If you are formatting bar or column charts in dashboards with the Visualization Editor you can additionally:

  • set the major unit for the y-axis (for example, you can arrange to have tick marks appear in units of 10, or 20, or 45...whatever works best).
  • determine the position of the chart legend and the manner in which the legend labels are truncated.
  • turn their drilldown functionality on or off. For more information about drilldown, see Understand basic table and chart drilldown actions in this manual.

Stacked column and bar charts

When your base search involves more than one data series, you can use stacked column charts and stacked bar charts to compare the frequency of field values in your data.

In an unstacked column chart, the columns for different series are placed alongside each other. This may be fine if your chart is relatively simple--total counts of sales by month for two or three items in a store over the course of a year, for example--but when the series count increases it can make for a cluttered, confusing chart.

In a column chart set to a Stack mode of Stacked, all of the series columns for a single datapoint (such as a specific month in the chart described in the preceding paragraph) are stacked to become segments of a single column (one column per month, to reference that example again). The total value of the column is the sum of the segments.

Note: You use a stacked column or bar chart to highlight the relative weight (importance) of the different types of data that make up a specific dataset.

The following chart illustrates the customer views of pages in the website of MyFlowerShop, a hypothetical web-based flower store, broken out by product category over a 7 day period:

Charts - stacked column.png

Here's the search that built that stacked chart:

sourcetype=access_* method=GET | timechart count by categoryId | fields _time BOUQUETS FLOWERS GIFTS SURPRISE TEDDY

Note the usage of the fields command; it ensures that the chart only displays counts of events with a product category ID; events without one (categorized as null by Splunk) are excluded.

The third Stack mode option, Stacked 100%, enables you to compare data distributions within a column or bar by making it fit to 100% of the length or width of the chart and then presenting its segments in terms of their proportion of the total "100%" of the column or bar. Stacked 100% can help you to better see data distributions between segments in a column or bar chart that contains a mix of very small and very large stacks when Stack mode is just set to Stacked.

Line and area charts

Line and area charts are commonly used to show data trends over time, though the x-axis can be set to any field value. If your chart includes more than one series, each series will be represented by a differently colored line or area.

This chart is based on a simple search that reports on internal Splunk metrics:

index=_internal | timechart count by sourcetype

Charts - line.png

The shaded areas in area charts can help to emphasize quantities. The following area chart is derived from this search, which also makes use of internal Splunk metrics:

index=_internal source=*metrics.log group=search_concurrency "system total" NOT user=* | timechart max(active_hist_searches) as "Historical Searches" max(active_realtime_searches) as "Real-time Searches"

Charts - area.png

When you define the properties of your line and area charts, you can:

  • set the chart titles, as well as the titles of the x-axis and y-axis.
  • determine what Splunk does with missing (null) y-axis values. You can have the system leave gaps for null datapoints, have connect to zero datapoints, or just connect to the next positive datapoint. If you choose to leave gaps, Splunk will display markers for datapoints that are disconnected because they are not adjacent to other positive datapoints.
  • set the minimum y-axis values (for example, if all the y-axis values of your search are above 100 it may improve clarity to have the chart start at 100).
  • set the unit scale to Log (logarithmic) to improve clarity of charts where you have a mix of very small and very large y-axis values. See Edit visualizations in this manual for more information on this setting.
  • determine whether charts are stacked, 100% stacked, and unstacked. Bar and column charts are always unstacked by default. See the following subsection for details on stacking bar and column charts.

If you are formatting line or area charts in dashboards with the Visualization Editor you can additionally:

  • set the major unit for the y-axis (for example, you can arrange to have tick marks appear in units of 10, or 20, or 45...whatever works best).
  • determine the position of the chart legend and the manner in which the legend labels are truncated.
  • turn their drilldown functionality on or off. For more information about drilldown, see Understand basic table and chart drilldown actions in this manual.

Stacked line and area charts

Stacked line and area charts operate along the same principles of stacked column and row charts (see above). Stacked line and area charts can help readers when several series are involved; it makes it easier to see how each data series relates to the entire set of data as a whole.

The following chart is another example of a chart that presents information from internal Splunk metrics. The search used to create it is:

index=_internal per_sourcetype_thruput | timechart sum(kb) by series useother=f

Charts - stacked area.png

Pie chart

Use a pie chart to show the relationship of parts of your data to the entire set of data as a whole. The size of a slice in a pie graph is determined by the size of a value of part of your data as a percentage of the total of all values.

The following pie chart presents the views by referrer domain for a hypothetical online store for the previous day. Note that you can get metrics for individual pie chart wedges by mousing over them.

Charts - Pie.png

When you define the properties of pie charts you can set the chart title. If you are formatting pie charts in dashboards with the Visualization Editor you can additionally:

Scatter chart

Use a scatter chart ( or "scatter plot") to show trends in the relationships between discrete values of your data. Generally, a scatter plot shows discrete values that do not occur at regular intervals or belong to a series. This is different from a line graph, which usually plots a regular series of points.

Here's an example of a search that can be used to generate a scatter chart. It looks at USGS earthquake data (in this case a CSV file that presents all magnitude 2.5+ quakes recorded over a given 7-day period, worldwide), pulls out just the Californian quakes, plots out the quakes by magnitude and quake depth, and then color-codes them by region. As you can see the majority of quakes recorded during this period were fairly shallow--10 or fewer meters in depth, with the exception of one quake that was around 27 meters deep. None of the quakes exceeded a magnitude of 4.0.

Charts - Scatter.png

To generate the chart for this example, we've used the table command, followed by three fields. The first field is what appears in the legend (Region). The second field is the x-axis value (Magnitude), which leaves the third field (Depth) to be the y-axis value. Note that when you use table the latter two fields must be numeric in nature.

source=usgs Region=*California | table Region Magnitude Depth | sort Region

You can download a current CSV file from the USGS Earthquake Feeds and add it as an input to Splunk, but the field names and format will be slightly different from the example shown here.

For more information about the data structures that scatter charts require, see the Data structure requirements for visualizations in this manual.

When you define the properties of your scatter charts, you can:

  • set the chart titles, as well as the titles of the x-axis and y-axis.
  • set the minimum y-axis values for the y-axis (for example, if all the y-axis values of your search are above 100 it may improve clarity to have the chart start at 100).
  • set the unit scale to Log (logarithmic) to improve clarity of charts where you have a mix of very small and very large y-axis values. See Edit visualizations in this manual for more information on this setting.

If you are formatting bar or column charts in dashboards with the Visualization Editor you can additionally:

  • set the major unit for the y-axis (for example, you can arrange to have tick marks appear in units of 10, or 20, or 45...whatever works best).
  • determine the position of the chart legend and the manner in which the legend labels are truncated.
  • turn their drilldown functionality on or off. For more information about drilldown, see Understand basic table and chart drilldown actions in this manual.

Single-value visualizations

Single value displays and gauges are designed to interpret the results of a transforming search that returns a single value whenever it is run, such as a search that returns the total count of events fitting a specific set of search criteria over a specific time range (or within a real-time window, in the case of real-time searches).

For example, this search presents the total number of Splunkd errors over the past hour:

index=_internal source="*splunkd.log" log_level="error" | stats count as errors

There are numerous ways to make searches arrive at single values, such as combining the top command with head=1.

For more information on the data structure requirements of single value visualizations, see the Data structure requirement for visualizations topic in this manual.

Note: When you design dashboard visualizations, you'll see that you can select single value visualizations even when you're working with a search that doesn't return a single value. In the case of dashboards, when a single value visualization is based on a transforming search that returns multiple values, it works with the value in the first cell of the resulting table. It doesn't matter whether the search involves a single series or multiple series. The other visualization setup options (the Search app timeline view, the Report Builder, and the Advanced Charting view) do not allow this when searches that return more than one value are involved.

Single value dashboard display

The single value display is available for dashboards only. When you base it on a search that returns a single numerical value, it displays the current result for that search. If you base the visualization on a real-time search that returns a single value, the number displayed changes as the search interprets incoming data.

5.0-viz-singleval display ex.jpg

You can arrange to have a single value display visualization change color depending on where the value it's displaying fits within a defined range, but to do so you'll have to include a special search command in the underlying search.

Design a search that returns a single value and which uses the rangemap command to define the range. By default, Splunk associates the color green with the word low, the color yellow with elevated, and red with severe. The example single value display panel above is based on this search:

index=_internal source="*splunkd.log" log_level="error" | stats count as errors | rangemap field=errors low=0-3 elevated=4-20 default=severe

Create a dashboard panel based on the search by clicking Create... and selecting Dashboard panel. This opens the Create Dashboard Panel dialog box, where you can select Single value as the visualization type for the search and determine whether the panel should be added to a new or preexisting dashboard. For more information about creating dashboards and panels, see About the Dashboard Editor.

When you go to your dashboard, the single value panel should now display either green, yellow, or red, depending on the number presented and the range that you set up for it in the search string.

For more information about working with the XML code behind single value display dashboard panels, see the Simple XML Reference entry for the <single> element.

Single value dashboard display formatting options

When you define a single value dashboard display with the Visualization Editor, you can:

  • Provide a panel title.
  • Set up text that goes before and after the displayed number. For example:

5.0-singleval with before-after text.png

About gauges

Splunk provides three types of gauge visualizations: radial, filler, and marker.

Gauge visualizations map a single numerical value against a range of colors that may have particular business meaning or logic. As the value changes over time, the gauge marker changes position within this range. Gauges are designed to provide an especially dynamic visualization for real-time searches, where the value returned fluctuates as events are returned, causing the gauge marker to visibly bounce back and forth within the range as you watch it.

The various gauge examples below have the same base search. It is:

index=_internal source="*splunkd.log" log_level="error" | stats count as errors

Radial gauge

The radial gauge type looks essentially like a speedometer or pressure valve gauge. It has an arced range scale and a rotating needle. The current value of the needle is displayed at the bottom of the gauge (in the case of the example below, the value is 19). If the value falls below or above the specified minimum or maximum range, the needle "flutters" at the upper (or lower) boundary, as if it is straining to move past the limits of the range.

Here's an example of the "shiny" version of the radial gauge:

Radial gauge example-1.png

And here's what the "minimal" version of the radial gauge looks like:

4.3 radial gauge minimal-1.png

Filler gauge

The filler gauge is similar in appearance to a thermometer, with a liquid-like filler indicator that changes color as it rises and passes gauge range boundaries. So imagine you have set up three ranges. The lower colored green , yellow, and red, the liquid will appear to be green when it is near the bottom, yellow when it reaches the midpoint boundary, and red when it gets to the top. The current value of the gauge fill is displayed at the left side of the filler indicator.

Filler gauge - unfull example.png

The filler gauge is oriented vertically by default but can be oriented horizontally through custom charting configuration.

Marker gauge

The marker gauge is a linear version of the filler gauge. It is already "filled"; a gauge marker rests at the value returned by the search. If the gauge is displaying the results of a real-time search, the marker can appear to slide back and forth across the range as the returned value fluctuates over time. If the returned value falls outside of the upper or lower ranges of the marker gauge, the marker appears to vibrate at the upper (or lower boundary), as if it is straining to move past the limits of the range.

Marker gauge-1.png

The marker gauge is oriented vertically by default but can be oriented horizontally through custom charting configuration.

Marker gauges have display issues with numbers exceeding 3 digits in length. To manage this, you can set up a search that divides a large number by a factor that reduces it to a smaller number. For example, if the value returned is typically in the tens of thousands, set your search up so the result is divided by 1000. Then a result of 19,100 becomes 19.1.

You can also deal with large numbers by setting the chart configuration options so the range is expressed as a percentage. For more about that, see the next subsection.

Formatting gauge visualizations using Splunk Web

All of Splunk's UI-based visualization definition options enable you to define how your gauges appear. You have the most formatting options when you use the dashboard Visualization Editor to set up a gauge in a dashboard panel. The Visualization Editor enables you to:

  • Provide a title for the panel.
  • Define the size and number of the ranges that make up the overall gauge. For example, you could have a gauge that starts at 0, ends at 100, and is made up of four ranges that span 0-25, 26-50, 51-75, and 76-100. Or you could have a gauge that starts at 1000, ends at 3000, and is made up of several smaller ranges.
  • Set the colors for each range. By default the first three ranges are green, yellow, and red, but you can change them to whatever you want, and add or subtract ranges as you see fit.
  • Determine whether the gauge style is shiny or minimal. For example, the shiny version of the radial gauge is designed to look something like a real radial machine gauge, with a metallic-looking dial and black background. The minimal radial gauge, on the other hand, is a stripped-down, "flat" version of the radial gauge design.

Note: When you are formatting gauge visualizations through the Visualization Editor, you can have it define color ranges automatically (by using values defined in the search string in conjunction with the gauge command--see below) or manually (by using settings defined in the Visualization Editor).

For more information about using the Visualization Editor to format dashboard panel visualizations, see the topic Edit visualizations in this manual.

Splunk's other visualization definition options--the Report Builder, the Advanced Charting view, and the results area of the Search App only provide the ability to give titles to gauge visualizations. By default they'll create a gauge with three ranges: 1-30, 31-70, and 71-100. These ranges are colored green, yellow, and red, respectively. To set up different gauge ranges with these visualization definition options, you'll need to update the underlying search with the gauge search command, as defined in the following subtopic.

Setting gauge ranges with the gauge command

When you're using a visualization definition option other than the dashboard Visualization Editor, you'll need to use the gauge command to set custom ranges for a gauge visualization.

The gauge command only enables you to set the gauge ranges; Splunk assigns colors to each range automatically. With gauge, you indicate the field whose value will be tracked by the gauge. Then you add "range values" to the search string that indicate the beginning and end of the range as well as the relative sizes of the color bands within it.

For example, to set up a gauge that tracks a hitcount field value with the ranges 100-119, 120-139, 140-159, 160-179, and 180-200 you would add this to your search string:

...| gauge hitcount 100 120 140 160 180 200

Splunk chooses default colors for these ranges (the first three are always green, yellow, and red).

Note: If you do not include the gauge command in your search (or do use it but fail to include range values along with it), Splunk inserts default range values of 0 30 70 100 when it generates the gauge visualization.

Maps

Splunk provides a map visualization that lets you plot geographic coordinates as interactive markers on a world map. Searches for map visualizations should use the geostats search command to plot markers on a map. The geostats command is similar to the stats command, but provides options for zoom levels and cells for mapping. Events generated from the geostats command include latitude and longitude coordinates for markers.

For information on the geostats command, see geostats in the Search Reference.

The map visualization can only be implemented using the <map> element in simple XML. For more information, see the <map> element entry in the simple XML Reference.

Viz ItalyMap3.png

Additional visualization options

The following Splunk visualizations are not available using Splunk Web tools or simple XML. These visualizations require that you use advanced XML and Splunk's modules system.

  • Bubble charts
  • Histograms
  • Range marker charts
  • Ratio bar charts
  • Value marker charts

You can use bubble charts to show trends and the relative importance of discrete values in your data. The size of a bubble indicates a value's relative importance. It represents a third dimension on top of the x-axis and y-axis values that plot the bubble's position on the chart. This dimension determines the bubble's size relative to the others in the chart.

Range marker charts and value marker charts are designed to work as overlays on top of bar, column, line, or area charts.

For more information about these chart types, the data structures required to support them, and their view XML properties, see the Custom Chart Reference.

PREVIOUS
About this manual
  NEXT
Data structure requirements for visualizations

This documentation applies to the following versions of Splunk® Enterprise: 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14, 6.0.15


Comments

Sorry, i found the answer already, I should put those line below in the XML.<br /><br />range<br />DATA_STAGE_percentage_used<br /><br />Thanks

Akram
October 6, 2013

Hi,<br /><br />I'm working on visualization for Single Value. In previous version of Splunk 5.0.5, my rangemap appear color to differentiate the range value, however after i upgrade to splunk 6, it doesnt show the color. It still use the same search which is " | rangemap field=count low=0-1 elevated=2-5 default=severe ". Please help.

Akram
October 6, 2013

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters