Splunk® Enterprise

Dashboards and Visualizations

Download manual as PDF

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Data structure requirements for visualizations

Different visualization types require search results in specific formats or data structures. For example, most charting visualizations require search results to be structured as tables with at least two columns, where the first column provides x-axis values and subsequent columns provide y-axis values for each series represented in the chart. To return search results in this format, use reporting search commands, such as stats, chart, or timechart.

This topic covers data structure requirements for different visualizations. For an overview of visualization options, see the Visualization Reference in this manual.

Column, line, and area charts

Column, line, and area charts are two-dimensional charts supporting one or more series. They plot data on a Cartesian coordinate system, working from tables that have at least two columns. In tables for column, line, and area charts, the first column contains x-axis values and subsequent columns contain y-axis values (each column represents a series). This is why "Values over time" searches and searches that include split-bys are available as column, line, and area charts.

As an example, any search using the timechart reporting command generates a table where _time is the first column. Column, line, and area charts generated with these search results have a _time x-axis.

In this search, the over operator indicates that source is the x-axis.

...| chart avg(bytes) over source 

The search produces a two-column, single-series table.

Two column chart.png

In this table, the x-axis is source, and the y-axis is avg(bytes). You can use the table to produce a column chart that compares the average number of bytes passed through each source.

You can change the search by adding clientip as a split-by field.

 ...| chart avg(bytes) over source by clientip

This produces a table that features multiple series.

Multi-column chart.png

In this table, the x-axis is still source, and the y-axis is still avg(bytes). However, avg(bytes) are split by clientip, creating a table with multiple series. You can generate a stacked column chart to represent this data.

Search results not structured as a table with valid x-axis or y-axis values cannot generate column, line, or area charts. For example, using the eval and fields commands can change search result structure.

Bar charts

Bar charts have the same data structure requirements as column, line, and area charts, except that the x- and y-axes are reversed. Bar charts use tables that have at least two columns, where the first column contains y-axis values and the subsequent columns contain x-axis values.

Pie charts

Pie charts are one dimensional and only support a single series. They use tables with two columns, where the first column contains labels for each pie slice, and the second column contains numerical values that correspond to each label. Matching labels with numerical values determines the relative size of each slice.

  • Note: If a search generates a table with more than two columns, the extra columns are ignored.

The first search example shown above can generate a pie chart.

...| chart avg(bytes) over source 

Here, the source column provides pie slice labels. The avg(bytes) column provides the relative size of each slice, as percentages of the sum of avg(bytes) returned by the search.

Scatter charts

Scatter charts show data as scattered markers. Scatter charts can visualize multiple y-axis values for each x-axis value.

Scatter charts require the table command to generate data in the following format.

  • Multiple series. This chart uses a table with three columns. The first column (column 0) contains series names. The next two columns contain the values to be plotted on the x- and y-axes, respectively.

Here is an example.

source="earthquakes.csv" | table Region, Magnitude, Depth

This search uses recent earthquake data. It generates a table with three columns. The first column represents region names. The second column represents earthquake magnitude, plotted on the x-axis. The third column represents earthquake depth, plotted on the y-axis.

Use Simple XML to build more complex scatter charts. For more information see the Area, Bar, Column, line, and Scatter Charts and Scatter chart specific properties entries in the Chart Configuration Reference.

Bubble charts

Bubble charts show data in three dimensions using bubble positioning and size. To create a bubble chart, use a search that generates three data series.

Here is an example.

source="earthquake.csv" | stats count by place, mag, depth

This search aggregates earthquake events by location. It generates three data series representing the magnitude, depth, and count for each earthquake location.

The search generates a bubble chart where the x-axis and y-axis plot magnitude and depth. The bubble size indicates the relative count value for a particular location.

To get series colors with the stats command, use two group-by fields. This generates a bubble for each unique combination of those two fields. The value of the second field determines the series color.

Gauges

You can use gauges with searches that return a single numerical field value. A gauge shows where this value exists within a defined range. For example, you can search for a count of events matching a set of search criteria within a specific time period or a real-time window. If you use a real-time search, the range marker fluctuates as the metric changes.

Single value visualizations

Single value visualizations represent an aggregated metric. You can visualize a metric for a specific time period or for a real-time window. If you use a real-time search, the visualization adapts to incoming data. To access sparklines and trend indicators for single value visualizations, it is important to use the timechart command.

Caution: As support for the rangemap command is limited, it is not recommended for building new single value visualizations. Queries using rangemap currently generate a single value, but UI configurations override the query-based settings.

For existing single value visualizations, it is recommended to migrate rangemap command settings out of the query. Replace query-based settings with equivalent range and color settings in the Format menu Color panel.

Maps

Choropleth maps and marker maps visualize data as it relates to a geographic region. It is important to use data with geographic coordinates when building a map visualization.

  • To build a Choropleth map, use a KMZ file, lookup, and the geom command.
  • To build a marker map, use the geostats command.

For more information, see the following resources.

  • "Mapping Data": A guide to building Choropleth and marker maps.
  • The <map> element entry in the Simple XML Reference
  • The geostats entry in the Search Reference.
  • The geom entry in the Search Reference.
PREVIOUS
Visualization Reference
  NEXT
Drilldown behavior

This documentation applies to the following versions of Splunk® Enterprise: 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.4.11


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters