About transforming commands and searches
This topic discusses how to create reports using transforming searches. A transforming search is a search that uses transforming commands to transform event data returned by a search into statistical data tables required for charts and other kinds of data visualizations.
A transforming command primer
This subsection covers the major categories of transforming commands and provides examples of how they can be used in a search.
The primary transforming commands are:
chart: used to create charts that can display any series of data that you want to plot. You can decide what field is tracked on the x-axis of the chart.
timechart: used to create "trend over time" reports, which means that
_timeis always the x-axis.
top: generates charts that display the most common values of a field.
rare: creates charts that display the least common values of a field.
streamstats: generate reports that display summary statistics.
diff: create reports that enable you to see associations, correlations, and differences between fields in your data.
Note: As you'll see in the following examples, you always place your transforming commands after your search commands, linking them with a pipe operator ("|").
streamstats are all designed to work in conjunction with statistical functions. The list of available statistical functions includes:
- count, distinct count
- mean, median, mode
- min, max, range, percentiles
- standard deviation, variance
- first occurrence, last occurrence
To find more information about statistical functions and how they're used, see "Functions for stats, chart, and timechart" in the Search Reference Manual. Some statistical functions only work with the
Note: All searches with transforming commands generate specific structures of data. The different chart types available in Splunk require these data structures to be set up in particular ways. For example not all searches that enable the generation of bar, column, line, and area charts also enable the generation of pie charts. Read the "Data structure requirements for visualizations" topic in the Splunk Data Visualizations Manual to learn more.
You can use Splunk's real-time search to calculate metrics in real-time on large incoming data flows without the use of summary indexing. However, because you are reporting on a live and continuous stream of data, the timeline will update as the events stream in and you can only view the table or chart in preview mode. Also, some search commands will be more applicable (for example, streamstats and rtorder) for use in real-time.
Change the format of subsearch results
Create time-based charts
This documentation applies to the following versions of Splunk® Enterprise: 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14, 6.0.15, 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.1.11, 6.1.12, 6.1.13, 6.1.14