Data structure requirements for visualizations
Different visualization types require search results in specific formats or data structures. For example, most charting visualizations require search results to be structured as tables with at least two columns, where the first column provides x-axis values and subsequent columns provide y-axis values for each series represented in the chart. To return search results in this format, use reporting search commands, such as
This topic covers data structure requirements for different visualizations. For an overview of visualization options, see the Visualization Reference in this manual.
Column, line, and area charts
Column, line, and area charts are two-dimensional charts supporting one or more series. They plot data on a Cartesian coordinate system, working from tables that have at least two columns. In tables for column, line, and area charts, the first column contains x-axis values and subsequent columns contain y-axis values (each column represents a series). This is why "Values over time" searches and searches that include split-bys are available as column, line, and area charts.
As an example, any search using the
timechart reporting command generates a table where
_time is the first column. Column, line, and area charts generated with these search results have a
In this search, the
over operator indicates that
source is the x-axis.
...| chart avg(bytes) over source
The search produces a two-column, single-series table.
In this table, the x-axis is
source, and the y-axis is
avg(bytes). You can use the table to produce a column chart that compares the average number of bytes passed through each source.
You can change the search by adding
clientip as a split-by field.
...| chart avg(bytes) over source by clientip
This produces a table that features multiple series.
In this table, the x-axis is still
source, and the y-axis is still
avg(bytes) are split by
clientip, creating a table with multiple series. You can generate a stacked column chart to represent this data.
Search results not structured as a table with valid x-axis or y-axis values cannot generate column, line, or area charts. For example, using the
fields commands can change search result structure.
Bar charts have the same data structure requirements as column, line, and area charts, except that the x- and y-axes are reversed. Bar charts use tables that have at least two columns, where the first column contains y-axis values and the subsequent columns contain x-axis values.
Pie charts are one dimensional and only support a single series. They use tables with two columns, where the first column contains labels for each pie slice, and the second column contains numerical values that correspond to each label. Matching labels with numerical values determines the relative size of each slice.
- Note: If a search generates a table with more than two columns, the extra columns are ignored.
The first search example shown above can generate a pie chart.
...| chart avg(bytes) over source
source column provides pie slice labels. The
avg(bytes) column provides the relative size of each slice, as percentages of the sum of
avg(bytes) returned by the search.
Scatter charts show data as scattered markers. Scatter charts can visualize multiple y-axis values for each x-axis value. Scatter charts require a multi-series table with four columns.
Scatter charts can work with data in the following form.
- Multiple series. This chart uses a table with four columns. The second column (column 1) contains series names. The next two columns contain the values to be plotted on the x- and y-axes, respectively.
To generate a scatter chart you need to graph events directly with a search like the following example.
* | fields - _* | fields clientip bytes
This search finds all packets received from various client IP addresses and then orders them according to the number of bytes in each packet. The x-axis is
clientip and the y-axis is
- Note: The search removes all fields with a leading underscore, such as the
_timefield. The second
fieldscommand isolates the two fields for the x- and y-axis of the chart, respectively. The y-axis value should be numerical for best results.
Use Simple XML to build more complex scatter charts. For more information see the Area, Bar, Column, line, and Scatter Charts and Scatter chart specific properties entries in the Chart Configuration Reference.
You can use gauges with searches that return a single numerical field value. A gauge shows where this value exists within a defined range. For example, you can search for a count of events matching a set of search criteria within a specific time period or a real-time window. If you use a real-time search, the range marker fluctuates as the metric changes.
Single value visualizations
Single value visualizations represent an aggregated metric. You can visualize a metric for a specific time period or for a real-time window. If you use a real-time search, the visualization adapts to incoming data. To access sparklines and trend indicators for single value visualizations, it is important to use the
You can use the
rangemap command in conjunction with your query to map value ranges to different colors. Ranges and colors are based on five default severity levels.
- Note: If a query includes the
rangemapcommand, any Format menu adjustments to ranges or colors override the
Choropleth maps and marker maps visualize data as it relates to a geographic region. It is important to use data with geographic coordinates when building a map visualization.
- To build a Choropleth map, use a KMZ file, lookup, and the
- To build a marker map, use the
For more information, see the following resources.
This documentation applies to the following versions of Splunk® Enterprise: 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14