Converts results into a tabular format that is suitable for graphing. This command is the inverse of the untable command.


xyseries [grouped=<bool>] <x-field> <y-name-field> <y-data-field>... [sep=<string>] [format=<string>]

Required arguments

Syntax: <field>
Description: The name of the field to use for the x-axis label. The values of this field appear as labels for the data series plotted on the x-axis.
Syntax: <field>
Description: The field that contains the values to use as labels for the data series.
Syntax: <field> [,<field>] ...
Description: One or more fields that contain the data to chart. When specifying multiple fields, separate the field names with commas.

Optional arguments

Syntax: format=<string>
Description: Used to construct output field names when multiple data series are used in conjunction with a split-by-field. format takes precedence over sep and lets you specify a parameterized expression with the stats aggregator and function ($AGG$) and the value of the split-by-field ($VALUE$).
Syntax: grouped= true | false
Description: If true, indicates that the input is sorted by the value of the <x-field> and multifile input is allowed.
Default: false
Syntax: sep=<string>
Description: Used to construct output field names when multiple data series are used in conjunctions with a split-by field. This is equivalent to setting format to $AGG$<sep>$VALUE$.


The xyseries command is a distributable streaming command, unless grouped=true is specified and then the xyseries command is a transforming command. See Command types.


The alias for the xyseries command is maketable.


Example 1: Reformat the search results.

... | xyseries delay host_type host

Example 2: Refer to this walkthrough to see how you can combine stats and eval with the xyseries command to create a report on multiple data series.

3rd party custom commands

