Data structure requirements for visualizations
Different visualization types require search results in specific formats or data structures. For example, most charting visualizations require search results to be structured as tables with at least two columns, where the first column provides x-axis values and subsequent columns provide y-axis values for each series represented in the chart. To return search results in this format, use reporting search commands, such as
This topic covers data structure requirements for different visualizations. For an overview of visualization options, see the Visualization Reference in this manual.
Column, line, and area charts
Column, line, and area charts are two-dimensional charts supporting one or more series. They plot data on a Cartesian coordinate system, working from tables that have at least two columns. In tables for column, line, and area charts, the first column contains x-axis values and subsequent columns contain y-axis values (each column represents a series). This is why "Values over time" searches and searches that include split-bys are available as column, line, and area charts.
As an example, any search using the
timechart reporting command generates a table where
_time is the first column. Column, line, and area charts generated with these search results have a
In this search, the
over operator indicates that
source is the x-axis.
...| chart avg(bytes) over source
The search produces a two-column, single-series table.
In this table, the x-axis is
source, and the y-axis is
avg(bytes). You can use the table to produce a column chart that compares the average number of bytes passed through each source.
You can change the search by adding
clientip as a split-by field.
...| chart avg(bytes) over source by clientip
This produces a table that features multiple series.
In this table, the x-axis is still
source, and the y-axis is still
avg(bytes) are split by
clientip, creating a table with multiple series. You can generate a stacked column chart to represent this data.
Search results not structured as a table with valid x-axis or y-axis values cannot generate column, line, or area charts. For example, using the
fields commands can change search result structure.
Bar charts have the same data structure requirements as column, line, and area charts, except that the x- and y-axes are reversed. Bar charts use tables that have at least two columns, where the first column contains y-axis values and the subsequent columns contain x-axis values.
Pie charts are one dimensional and only support a single series. They use tables with two columns, where the first column contains labels for each pie slice, and the second column contains numerical values that correspond to each label. Matching labels with numerical values determines the relative size of each slice.
- Note: If a search generates a table with more than two columns, the extra columns are ignored.
The first search example shown above can generate a pie chart.
...| chart avg(bytes) over source
source column provides pie slice labels. The
avg(bytes) column provides the relative size of each slice, as percentages of the sum of
avg(bytes) returned by the search.
Scatter charts show data as scattered markers. Scatter charts can visualize multiple y-axis values for each x-axis value.
Scatter charts require the table command to generate data in the following format.
- Multiple series. This chart uses a table with three columns. The first column (column 0) contains series names. The next two columns contain the values to be plotted on the x- and y-axes, respectively.
Here is an example.
source="earthquakes.csv" | table Region, Magnitude, Depth
This search uses recent earthquake data. It generates a table with three columns. The first column represents region names. The second column represents earthquake magnitude, plotted on the x-axis. The third column represents earthquake depth, plotted on the y-axis.
Use Simple XML to build more complex scatter charts. For more information see the Area, Bar, Column, line, and Scatter Charts and Scatter chart specific properties entries in the Chart Configuration Reference.
Bubble charts show data in three dimensions using bubble positioning and size. To create a bubble chart, use a search that generates three data series.
Here is an example.
source="earthquake.csv" | stats count by place, mag, depth
This search aggregates earthquake events by location. It generates three data series representing the magnitude, depth, and count for each earthquake location.
The search generates a bubble chart where the x-axis and y-axis plot magnitude and depth. The bubble size indicates the relative count value for a particular location.
To get series colors with the stats command, use two group-by fields. This generates a bubble for each unique combination of those two fields. The value of the second field determines the series color.
You can use gauges with searches that return a single numerical field value. A gauge shows where this value exists within a defined range. For example, you can search for a count of events matching a set of search criteria within a specific time period or a real-time window. If you use a real-time search, the range marker fluctuates as the metric changes.
Single value visualizations
Single value visualizations represent an aggregated metric. You can visualize a metric for a specific time period or for a real-time window. If you use a real-time search, the visualization adapts to incoming data. To access sparklines and trend indicators for single value visualizations, it is important to use the
Caution: As support for the
rangemap command is limited, it is not recommended for building new single value visualizations. Queries using
rangemap currently generate a single value, but UI configurations override the query-based settings.
For existing single value visualizations, it is recommended to migrate
rangemap command settings out of the query. Replace query-based settings with equivalent range and color settings in the Format menu Color panel.
Choropleth maps and marker maps visualize data as it relates to a geographic region. It is important to use data with geographic coordinates when building a map visualization.
- To build a Choropleth map, use a KMZ file, lookup, and the
- To build a marker map, use the
For more information, see the following resources.
This documentation applies to the following versions of Splunk® Enterprise: 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.4.11