Splunk® Enterprise

Search Manual

Download manual as PDF

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

About transforming commands and searches

This topic discusses how to create reports using transforming searches. A transforming search is a search that uses transforming commands to transform event data returned by a search into statistical data tables required for charts and other kinds of data visualizations.

A transforming command primer

This subsection covers the major categories of transforming commands and provides examples of how they can be used in a search.

The primary transforming commands are:

  • chart: used to create charts that can display any series of data that you want to plot. You can decide what field is tracked on the x-axis of the chart.
  • timechart: used to create "trend over time" reports, which means that _time is always the x-axis.
  • top: generates charts that display the most common values of a field.
  • rare: creates charts that display the least common values of a field.
  • stats, eventstats, and streamstats: generate reports that display summary statistics.
  • associate, correlate, and diff: create reports that enable you to see associations, correlations, and differences between fields in your data.

Note: As you'll see in the following examples, you always place your transforming commands after your search commands, linking them with a pipe operator ("|").

chart, timechart, stats, eventstats, and streamstats are all designed to work in conjunction with statistical functions. The list of available statistical functions includes:

  • count, distinct count
  • mean, median, mode
  • min, max, range, percentiles
  • standard deviation, variance
  • sum
  • first occurrence, last occurrence

To find more information about statistical functions and how they're used, see "Functions for stats, chart, and timechart" in the Search Reference Manual. Some statistical functions only work with the timechart command.

Note: All searches with transforming commands generate specific structures of data. The different chart types available in Splunk require these data structures to be set up in particular ways. For example not all searches that enable the generation of bar, column, line, and area charts also enable the generation of pie charts. Read the "Data structure requirements for visualizations" topic in the Splunk Data Visualizations Manual to learn more.

Real-time reporting

You can use Splunk's real-time search to calculate metrics in real-time on large incoming data flows without the use of summary indexing. However, because you are reporting on a live and continuous stream of data, the timeline will update as the events stream in and you can only view the table or chart in preview mode. Also, some search commands will be more applicable (for example, streamstats and rtorder) for use in real-time.

PREVIOUS
Change the format of subsearch results
  NEXT
Create time-based charts

This documentation applies to the following versions of Splunk® Enterprise: 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14, 6.0.15, 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.1.11, 6.1.12, 6.1.13, 6.1.14


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters