Splunk® Enterprise

Dashboards and Visualizations

Download manual as PDF

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Visualization Reference

Splunk provides a number of options for search result visualizations. Along with the straightforward "event listing" visualization, you can see event data presented in the form of tables and charts (such as column, line, area, and pie charts). For searches that return a single, discrete, numerical value, you can visualize it with a variety of gauge and single value displays.

Visualization options can be limited if the search does not return data in a structure supported by the visualization. For example, you need a transforming command (such as stats, timechart, or top) to return search results in a data structure that supports both tables and chart visualizations (such as column, bar, line, area, and pie charts). For more information, see Data structure requirements for visualizations in this manual.

For more information about building searches with transforming commands, see About transforming commands and searches in the Search Manual.

Accessing Splunk's visualization definition features

Splunk provides user interface tools to create and modify visualizations. You can access these tools from various places in Splunk Web.

  • Search
  • Dashboards
  • Dashboard visual editor
  • Pivot
  • Reports

You can also create and modify visualizations directly in simple XML code.

Visualizations from Splunk Search

You can modify how Splunk displays search results in the Search page. After running a search, select the Visualization tab, then select the type of visualization to display and specify formatting options for the selected visualization. The search must be a reporting search that returns results that can be formatted as a visualization.

See Edit visualizations for information on editing Splunk visualizations.

Dashboard panel visualizations

When you base a new dashboard panel on search results you can choose the visualization that best represents the data returned by the search. You can then use the Visualization Editor to fine-tune the way the panel visualization displays.

To create a dashboard panel from search results, after you run the search click Save As > Dashboard Panel. For more information about creating and editing dashboards, see the About the Dashboard Editor and Edit visualizations.

Dashboard Editor

You can create and edit visualizations with the Dashboard Editor, an interactive visual editor. For more information, see About the Dashboard Editor.

Events visualizations

Events visualizations are essentially raw lists of events.

You can get events visualizations from any search that does not include a transform operation, such as a search that uses reporting commands like stats, chart, timechart, top, or rare. For example, if you just search for a set of terms and field values, you end up with a list of events:

error OR failed OR severe OR ( sourcetype=access_* ( 404 OR 500 OR 503 ) )

6 0 event list example.png


If you add a transforming command to that search, you get statistical results that can be presented either as a table or a chart:

error OR failed OR severe OR ( sourcetype=access_* ( 404 OR 500 OR 503 ) ) | stats count by host

6 0 event list transform example.png


With event listing visualizations, you can:

  • Determine the number of events listed.
  • Determine whether numbers appear to the left of each event.
  • Have event text wrap to fit within the dashboard panel.

Tables

You can generate table visualizations from just about any search. However, searches that include transform operations, such as stats, chart, and timechart, generate the more interesting tables.

The following example shows a table for a hypothetical flower company. The table tracks price differences between its products and those of its hypothetical competitor. The following search generates data for the table:

sourcetype=access_* | stats values(product_name) as product by price, flowersrus_price | eval difference = price - flowersrus_price | table product, difference

4.3 table viz example.png

The cells in the difference column display shades of color. The table uses a heat map for a data overlay. The high values are red while the low values are blue. In this example, products that have a higher price than the competitor are shades of red, while products that are less expensive are shades of blue.

For table visualizations you can do the following:

  • Set the number of table rows that are displayed.
  • Display row numbers.
  • Add data overlays that provide additional visual information, such as heat maps or high/low value indicators.

If you are formatting tables in dashboards with the Visualization Editor you can additionally determine how drilldown works for them. You can enable drilldown by row or by cell, or disable drilldown for the table entirely. For more information about drilldown functionality, see Understand basic table and chart drilldown actions in this manual.

Sparklines in tables

You can configure table visualizations to display sparklines. Sparklines show hidden patterns in your data that might otherwise be hard to identify in your table results. They can increase the usefulness and overall information density of tables in reports and dashboards.

To use sparklines, your underlying search has to use the stats or chart transforming commands. You add the sparkline function to those commands to add a sparkline column to the table. See Add Sparklines to your search results in the Search Manual.

The following sparkline example runs off of this search, which looks at USGS earthquake data. You can download a current CSV file from the USGS Earthquake Feeds and add it as an input to Splunk, but the field names and format can differ from the example shown here. In this case, the data shows all magnitude 2.5+ quakes recorded over a given 7-day period, worldwide:

source=usgs | stats sparkline(avg(Magnitude),6h) as magnitude_trend, count, avg(Magnitude) by Region | sort count

The search displays the top 10 regions according to the total count of quakes experienced per region over that period. The sparkline in the resulting table illustrates the trend in earthquake magnitude over the course of that week for each of the top earthquake regions. The example also demonstrates how you can mouse over a sparkline to read values at specific points along its length.

Spk magTrend example.png

Charts

Splunk provides a variety of chart visualizations, such as column, line, area, scatter, and pie charts. These visualizations require transforming searches whose results involve one or more series.

A series is a sequence of related data points that can be plotted on a chart. For example, each line plotted on a line chart represents an individual series. You can design transforming searches that produce a single series, or you can set them up so the results provide data for multiple series.

Consider a table that a transforming search generates. Each column in the table after the first column represents a different series. A "single series" search produces a table with only two columns, while a "multiple series" search produces a table with three or more columns.

All chart visualizations can display single-series searches. However the bar, column, line, and pie chart visualizations usually display the data best. Pie charts can only display data from single series searches.

If a search produces multiple series, bar, column, line, area, and scatter chart visualizations display the data best.

See Data structure requirements for visualizations in this manual for more information.

Column and bar charts

Use a column chart or bar chart to compare the frequency of values of fields in your data. In a column chart, the x-axis values are typically field values. If the search uses the timechart transforming command, the x-axis represents time. The y-axis can be any other field value, count of values, or statistical calculation of a field value. Column charts and bar charts represent data similarly, except that the x-axis and y-axis values are reversed. For more information, see the Data structure requirements for visualizations in this manual.

The following bar chart presents the results of a search that uses internal metrics. It calculates the sum of CPU seconds by processor in the last 15 minutes. It then arranges the processors with the top ten sums in descending order. This example also shows how you can mouse over a single bar or column to get detailed information.

The following search drives the bar chart visualization.

index=_internal "group=pipeline" | stats sum(cpu_seconds) as totalCPUSeconds by processor | sort 10 totalCPUSeconds desc

Charts - bar.png


For column and bar chart visualizations, you can do the following:

  • Set the chart titles, as well as the titles of the x-axis and y-axis.
  • Set the minimum y-axis values for the y-axis.
  • Set the unit scale to logarithmic values
    Logarithmic values are useful with a mix of very small and very large y-axis values. See Edit visualizations in this manual for more information.
  • Configure charts as stacked, 100% stacked, and unstacked.
    Bar and column charts are unstacked by default. See the following subsection for details on stacking bar and column charts.
  • Set the major unit for the y-axis
    For example, configure tick marks in units that work best for your data.
  • Determine the position of the chart legend and the manner in which the legend labels are truncated.

Stacked column and bar charts

When a base search involves more than one data series, you can use stacked column charts and stacked bar charts to compare the frequency of field values in your data.

Unstacked charts

In an unstacked column chart, the columns for different series appear alongside each other. An unstacked column chart is useful for relatively simple search results. But when the series count increases an unstacked column chart can appear cluttered and confusing.

Stacked charts

A stacked column chart displays all the series columns for a single data point as segments of a single column. The total value of the column is the sum of the segments. You typically use a stacked column or bar chart to highlight the relative weight, or importance, of the different types of data that make up a specific data set.

The following example illustrates the customer views of pages in a website of a hypothetical flower store. It breaks out page views by product category over a 7 day period.

The following search drives the data in the example. The usage of the fields command in the search ensures that the chart only displays counts of events with a product category ID. It excludes events without a category ID, categorized as null in the search results.

sourcetype=access_* method=GET | timechart count by categoryId | fields _time BOUQUETS FLOWERS GIFTS SURPRISE TEDDY

Charts - stacked column.png

100 per cent stacked charts

A chart set to !00% stacked lets you compare data distributions within a column or bar chart by percentage of the column or bar size. Each segment of data in the column or bar represents the percentage of all the data available.

Stacked 100% is useful to better see data distributions between segments in a column or bar chart that contains a mix of very small and very large segments.

Line and area charts

You typically use line and area charts to show data trends over time. However, you can use the x-axis to represent any field value other than time. If your chart includes more than one series, a different color represents each line or area.

The following search drives the example line chart.

index=_internal | timechart count by sourcetype

Charts - line.png

Shaded areas in area charts can help emphasize quantities. The following search drives the area chart in the example:

index=_internal source=*metrics.log group=search_concurrency "system total" NOT user=* | timechart max(active_hist_searches) as "Historical Searches" max(active_realtime_searches) as "Real-time Searches"

Charts - area.png

With line and area charts, you can do the following:

  • Set the chart titles, as well as the titles of the x-axis and y-axis.
  • Determine how to display null y-axis values.
    You can leave gaps for null datap points, connect to zero data points, or just connect to the next positive data point. If you choose to leave gaps, the chart displays markers for data points that are disconnected. In this case, they are not adjacent to other positive data points.
  • Set the minimum y-axis value.
  • Set the unit scale to logarithmic values
    Logarithmic values are useful with a mix of very small and very large y-axis values. See Edit visualizations in this manual for more information.
  • Set the major unit for the y-axis
    For example, configure tick marks in units that work best for your data.
  • Determine the position of the chart legend and the manner in which the legend labels are truncated.

Stacked line and area charts

Stacked line and area charts are similar to stacked column and row charts. Stacked line and area charts are useful when charting several series, making it easier to see how each data series relates to the entire set of data as a whole.

The following search drives the data in the stacked area chart example. The example also illustrates mousing over a data point for detailed information.

index=_internal per_sourcetype_thruput | timechart sum(kb) by series useother=f

Charts - stacked area.png

Pie chart

Use a pie chart to show the relationship of parts of your data to the entire set of data as a whole. The size of a slice in a pie graph shows the value of the data represented by the slice as a percentage of the sum of all values.

The following pie chart presents the views by referrer domain for a hypothetical online store for the previous day. You can get mouse over individual pie chart slices to view details.

Charts - Pie.png

When you define the properties of pie charts you can set the chart title. If you are formatting pie charts in dashboards with the Visualization Editor you can additionally: From a pie chart you can do the following:

Scatter chart

Use a scatter chart, also known as scatter plot, to show trends in the relationships between discrete values of data. Generally, a scatter plot shows discrete values that do not occur at regular intervals or belong to a series. This differs from a line graph, which usually plots a regular series of points.

The following example uses USGS earthquake data to illustrate scatter charts. The data derives from a CSV file that highlights all magnitude 2.5+ quakes recorded over a given 7-day period, worldwide. You can download a current CSV file from the USGS Earthquake Feeds and input to a Splunk Enterprise instance. The field names and format can differ from the example shown here.

The search in this example restricts the data to California earthquakes, plotted by magnitude and quake depth. The chart highlights that the majority of quakes recorded during this period were fairly shallow. The exception is one quake that was about 27 meters deep. None of the quakes exceeded a magnitude of 4.0.

The following search generates the data for the scatter example. The Region field populates the legend of the chart. The Magnitude and Depth fields become the x-axis and y-axis respectively. When you use the table command, the fields following the command must return numeric data.

source=usgs Region=*California | table Region Magnitude Depth | sort Region


Charts - Scatter.png


For more information about the data structures that scatter charts require, see the Data structure requirements for visualizations in this manual.

From a scatter charts you can do the following:

  • Set the chart titles, as well as the titles of the x-axis and y-axis.
  • Determine how to display null y-axis values.
    You can leave gaps for null datap points, connect to zero data points, or just connect to the next positive data point. If you choose to leave gaps, the chart displays markers for data points that are disconnected. In this case, they are not adjacent to other positive data points.
  • Set the minimum y-axis value.
  • Set the unit scale to logarithmic values
    Logarithmic values are useful with a mix of very small and very large y-axis values. See Edit visualizations in this manual for more information.
  • Set the major unit for the y-axis
    For example, configure tick marks in units that work best for your data.
  • Configure the position of the chart legend and the manner in which the legend labels are truncated.

Single-value visualizations

Single value displays and gauges display the results of a transforming search that returns a single value. For example, a search that returns the total count of events for a specific set of search criteria. The following search returns the total number of errors for a Splunk Enterprise instance over the past hour:

index=_internal source="*splunkd.log" log_level="error" | stats count as errors

There are various ways to make searches return a single values. One example is to combine the top command with head=1.

Caution: Be careful to use searches that return single values. When you design dashboard visualizations in the Dashboard Editor, you can select single value visualizations even if the search returns multiple values. In this case, the single value visualization uses the value in the first cell of the results table, which may not be what you plan to show.

For more information on the data structure requirements of single value visualizations, see the Data structure requirement for visualizations topic in this manual.

Single value visualization

The single value visualization displays the result of a search that returns a single numerical value. If you base the visualization on a real-time search that returns a single value, the number displayed changes as the search interprets incoming data.

5.0-singleval with before-after text.png

You can configure a single value display visualization to change color depending on where the returned value falls within a defined range. Use the rangemap search command to define the range in the underlying search. You can also configure the range map for a single value visualization with the Panel Editor. By default, a single value visualization uses the following range map configuration:

  • low: green
  • elevated: yellow
  • severe: red

The following search drives the above single value display visualization:

index=_internal source="*splunkd.log" log_level="error" | stats count as errors | rangemap field=errors low=0-3 elevated=4-20 default=severe

For a single value visualization, you can do the following:

About gauges

Splunk provides three types of gauge visualizations: radial, filler, and marker.

Gauge visualizations map a single numerical value against a range of colors that may have particular business meaning or logic. Gauges use range maps, as described in the single value visualization, to define color ranges. As a value changes over time, the gauge marker changes position within this range. Gauges provide an especially dynamic visualization for real-time searches, where the value returned fluctuates as events are returned, causing the gauge marker to visibly bounce back and forth within the range as you watch it.

The various gauge examples below use the same base search:

index=_internal source="*splunkd.log" log_level="error" | stats count as errors

Radial gauge

The radial gauge type looks essentially like a speedometer or pressure valve gauge. It has an arced range scale and a rotating needle. The current value of the needle displays at the bottom of the gauge. In the example below, the value is 19. If the value falls below or above the specified minimum or maximum range, the needle "flutters" at the upper or lower boundary, as if it is straining to move past the limits of the range.

The following examples shows the "shiny" and "minimal" version of the radial gauge:

Radial gauge example-1.png      4.3 radial gauge minimal-1.png

Filler gauge

The filler gauge is similar in appearance to a thermometer, with a liquid-like filler indicator that changes color as it rises and passes gauge range boundaries. Use a range map, as described for a single value visualization, to define the display color of the filler gauge.

By default, the filler gauge displays vertically. You can configure a horizontal display of the filler gauge.


Filler gauge - unfull example.png

Marker gauge

The marker gauge is a linear version of the filler gauge that is already "filled."A gauge marker rests at the value returned by the search. If the gauge is displaying the results of a real-time search, the marker can appear to slide back and forth across the range as the returned value fluctuates over time. If the returned value falls outside of the upper or lower ranges of the marker gauge, the marker appears to vibrate at the upper or lower boundary, as if it is straining to move past the limits of the range.

Marker gauge-1.png

By default, the marker gauge displays vertically. You can configure a horizontal display of the marker gauge.

Marker gauges have display issues with numbers exceeding 3 digits in length. To manage this, you can set up a search that divides a large number by a factor that reduces it to a smaller number. For example, if the value returned is typically in the tens of thousands, set your search so the result is divided by 1000. Then a result of 19,100 becomes 19.1.

You can also deal with large numbers by setting the chart configuration options to return the range as a percentage.

Configure gauge visualizations using Splunk Web

You can use the Visualization Editor to configure a gauge in a dashboard panel. The Visualization Editor lets you configure the following:

  • Provide a title for the panel.
  • Define the size and number of the ranges that make up the overall gauge.
    For example, you could have a gauge that starts at 0, ends at 100, and is made up of four ranges that span 0-25, 26-50, 51-75, and 76-100. Or you could have a gauge that starts at 1000, ends at 3000, and is made up of several smaller ranges.
  • Set the colors for each range.
    By default the first three ranges are green, yellow, and red. You can customize the colors and add or subtract ranges as needed.
  • Configure whether the gauge style is shiny or minimal.
    For example, the shiny version of the radial gauge models the look of a real radial machine gauge with a metallic-looking dial and black background. The minimal radial gauge, on the other hand, is a stripped-down, "flat" version of the radial gauge design.

When you format gauge visualizations through the Visualization Editor, you can define color ranges automatically. Do this by using values defined in the search string in conjunction with the gauge command. You can customize default settings that the Visualization Editor provides.

For more information about using the Visualization Editor to format dashboard panel visualizations, see the topic Edit visualizations in this manual.

Other visualization definition options are the Report Builder, the Advanced Charting view, and the results area of the Search App. These options only provide the ability to give titles to gauge visualizations. By default they create a gauge with the following three ranges:

  • 1-30: green
  • 31-70: yellow
  • 71-100: red.

To set up different gauge ranges with these visualization definition options, update the underlying search with the gauge search command.

Setting gauge ranges with the gauge command

You can use the search gauge command to set custom ranges for a gauge visualization.

The gauge command lets you set the gauge ranges using default colors. The default three colors, in order of the ranges, are green, yellow, and red. With gauge, you indicate the field to track with the gauge. Then add "range values" to the search string to indicate the beginning and end of the range as well as the relative sizes of the color bands within it.

For example, to set up a gauge that tracks a hitcount field value with the ranges 100-119, 120-139, 140-159, 160-179, and 180-200, add this to your search string:

...| gauge hitcount 100 120 140 160 180 200

If you do not include the gauge command in your search or include it but fail to specify range values along, the range values default to these values: 0 30 70 100.

Maps

Splunk Enterprise provides a map visualization that lets you plot geographic coordinates as interactive markers on a world map. Searches for map visualizations typically use the geostats search command to plot markers on a map. The geostats command is similar to the stats command, but provides options for zoom levels and cells for mapping. The geostats command generates events that include latitude and longitude coordinates for markers.


Viz ItalyMap3.png

Additional visualization options

The following Splunk visualizations are not available using Splunk Web tools or simple XML. These visualizations require advanced XML and the module system of the Splunk Web Framework.

  • Bubble charts
  • Histograms
  • Range marker charts
  • Ratio bar charts
  • Value marker charts

You can use bubble charts to show trends and the relative importance of discrete values in your data. The size of a bubble indicates a value's relative importance. It represents a third dimension on top of the x-axis and y-axis values that plot the bubble's position on the chart. This dimension determines the bubble's size relative to the others in the chart.

Range marker charts and value marker charts are designed to work as overlays on top of bar, column, line, or area charts.

For more information about these chart types, the data structures required to support them, and their view XML properties, see the Custom Chart Reference.

PREVIOUS
About this manual
  NEXT
Data structure requirements for visualizations

This documentation applies to the following versions of Splunk® Enterprise: 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.1.11, 6.1.12, 6.1.13


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters