Splunk® Enterprise

Search Tutorial

Preview features described in this document are provided by Splunk to you "as is" without any warranties, maintenance and support, or service-level commitments. Splunk makes this preview feature available in its sole discretion and may discontinue it at any time. These documents are not yet publicly available and we ask that you keep such information confidential.
This documentation does not apply to the most recent version of Splunk® Enterprise. For documentation on the most recent version, go to the latest release.

Create a basic chart

In this example you compare the counts of user actions by calculating information about the actions customers have taken on the online store website.

  • The number of times each product is viewed
  • The number of times each product is added to the cart
  • The number of times each product is purchased

Prerequisite
This example requires the productName field from the Enabling field lookups section. You must complete all of those steps before continuing with this section.

Steps

  1. Start a new search.
  2. Set the time range to All time.
  3. Run the following search.

    sourcetype=access_* status=200 | chart count AS views count(eval(action="addtocart")) AS addtocart count(eval(action="purchase")) AS purchases by productName | rename productName AS "Product Name", views AS "Views", addtocart AS "Adds to Cart", purchases AS "Purchases"

    This search uses the chart command to count the number of events that are action=purchase and action=addtocart. The search then uses the rename command to rename the fields that appear in the results.
    The chart command is a transforming command. The results of the search appear on the Statistics tab.
    This screen image shows the results of running the search.
  4. Click the Visualization tab. The search results appear in a Pie chart.
  5. Change the display to a Column chart.

    This screen image shows the Visualization tab. The results of the search are formatted as a Column chart.

Next step

Create an overlay chart and explore visualization options

See also

chart command in the Search Reference
rename command in the Search Reference
Transforming commands in the Search Manual

Last modified on 26 March, 2018
Save and share your reports   Create an overlay chart and explore visualization options

This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13

Acrobat logo Download manual
Acrobat logo Download this page

Please expect delayed responses to documentation feedback while the team migrates content to a new system. We value your input and thank you for your patience as we work to provide you with an improved content experience!

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters