Splunk® Enterprise

Dashboards and Visualizations

Download manual as PDF

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Data structure requirements for visualizations

Different visualization types require search results in specific formats or data structures. For example, most charting visualizations require search results to be structured as tables with at least two columns, where the first column provides x-axis values and subsequent columns provide y-axis values for each series represented in the chart. To return search results in this format, use reporting search commands, such as stats, chart, or timechart.

This topic covers data structure requirements for different visualizations. For an overview of visualization options, see the Visualization Reference in this manual.

Column, line, and area charts

Column, line, and area charts are two-dimensional charts supporting one or more series. They plot data on a Cartesian coordinate system, working from tables that have at least two columns. In tables for column, line, and area charts, the first column contains x-axis values and subsequent columns contain y-axis values (each column represents a series). This is why "Values over time" searches and searches that include split-bys are available as column, line, and area charts.

As an example, any search using the timechart reporting command generates a table where _time is the first column. Column, line, and area charts generated with these search results have a _time x-axis.

In this search, the over operator indicates that source is the x-axis. 

...| chart avg(bytes) over source

The search produces a two-column, single-series table.

Two column chart.png

In this table, the x-axis is source, and the y-axis is avg(bytes). You can use the table to produce a column chart that compares the average number of bytes passed through each source.

You can change the search by adding clientip as a split-by field. 

 ...| chart avg(bytes) over source by clientip

This produces a table that features multiple series.

Multi-column chart.png

In this table, the x-axis is still source, and the y-axis is still avg(bytes). However, avg(bytes) are split by clientip, creating a table with multiple series. You can generate a stacked column chart to represent this data.

Search results not structured as a table with valid x-axis or y-axis values cannot generate column, line, or area charts. For example, using the eval and fields commands can change search result structure.

Bar charts

Bar charts have the same data structure requirements as column, line, and area charts, except that the x- and y-axes are reversed. Bar charts use tables that have at least two columns, where the first column contains y-axis values and the subsequent columns contain x-axis values.

Pie charts

Pie charts are one dimensional and only support a single series. They use tables with two columns, where the first column contains labels for each pie slice, and the second column contains numerical values that correspond to each label. Matching labels with numerical values determines the relative size of each slice.

  • Note: If a search generates a table with more than two columns, the extra columns are ignored.

The first search example shown above can generate a pie chart. 

...| chart avg(bytes) over source

Here, the source column provides pie slice labels. The avg(bytes) column provides the relative size of each slice, as percentages of the sum of avg(bytes) returned by the search.

Scatter charts

Scatter charts show data as scattered markers. Scatter charts can visualize multiple y-axis values for each x-axis value. Scatter charts require a multi-series table with four columns.

Scatter charts can work with data in the following form.

  • Multiple series. This chart uses a table with four columns. The second column (column 1) contains series names. The next two columns contain the values to be plotted on the x- and y-axes, respectively.

To generate a scatter chart you need to graph events directly with a search like the following example. 

* | fields - _* | fields clientip bytes

This search finds all packets received from various client IP addresses and then orders them according to the number of bytes in each packet. The x-axis is clientip and the y-axis is bytes.

  • Note: The search removes all fields with a leading underscore, such as the _time field. The second fields command isolates the two fields for the x- and y-axis of the chart, respectively. The y-axis value should be numerical for best results.

Use Simple XML to build more complex scatter charts. For more information see the Area, Bar, Column, line, and Scatter Charts and Scatter chart specific properties entries in the Chart Configuration Reference.

Gauges

You can use gauges with searches that return a single numerical field value. A gauge shows where this value exists within a defined range. For example, you can search for a count of events matching a set of search criteria within a specific time period or a real-time window. If you use a real-time search, the range marker fluctuates as the metric changes.

Single value visualizations

Single value visualizations represent an aggregated metric. You can visualize a metric for a specific time period or for a real-time window. If you use a real-time search, the visualization adapts to incoming data. To access sparklines and trend indicators for single value visualizations, it is important to use the timechart command.

You can use the rangemap command in conjunction with your query to map value ranges to different colors. Ranges and colors are based on five default severity levels.

  • Note: If a query includes the rangemap command, any Format menu adjustments to ranges or colors override the rangemap settings.

Maps

Choropleth maps and marker maps visualize data as it relates to a geographic region. It is important to use data with geographic coordinates when building a map visualization.

  • To build a Choropleth map, use a KMZ file, lookup, and the geom command.
  • To build a marker map, use the geostats command.

For more information, see the following resources.

  • "Mapping Data": A guide to building Choropleth and marker maps.
  • The <map> element entry in the Simple XML Reference
  • The geostats entry in the Search Reference.
  • The geom entry in the Search Reference.
Retrieved from "https://docs.splunk.com/index.php?title=Documentation:Splunk:Viz:Datastructurerequirementsforvisualizations:Ember&oldid=877212"
PREVIOUS
Visualization Reference 		  NEXT
Drilldown behavior

This documentation applies to the following versions of Splunk® Enterprise: 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14

Comments

Hi @Kevinreese,
Thanks for your question. Scatter plots only support numeric axes, so at this time they cannot be used to show _time values. You might want to check out some related posts on the Answers forum, though, to review some of the workarounds or alternatives that other users found. For example, https://answers.splunk.com/answers/1541/how-can-i-create-a-scatter-plot-of-data-points-distributed-over-time.html

Hope this helps!

Frobinson splunk, Splunker
January 5, 2016

Is there a way to show _time on the x-axis in a scatter plot?

Kevinreese
December 21, 2015

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters