Splunk Cloud Platform

Search Manual

Create charts that are not (necessarily) time-based

This topic discusses using the transforming command, chart, to create visualizations that are not time-based.

The chart command

The chart command returns your results in a data structure that supports visualization of your data series as a chart such as a column, line, area, and pie chart.

Unlike the timechart command, which uses the _time default field as the x-axis, charts created with the chart command use an arbitrary field as the x-axis. With the chart command, you use the over keyword to determine what field takes the x-axis.

Examples

Example 1: Use web access data to show you the average count of unique visitors over each weekday.

sourcetype=access_* | chart avg(clientip) over date_wday

One of the options you have is to split the data by another field, meaning that each distinct value of the "split by" field is a separate series in the chart. If your search includes a "split by" clause, place the over clause before the "split by" clause.

The following report generates a chart showing the sum of kilobytes processed by each clientip within a given timeframe, split by host. The finished chart shows the bytes value taking the y-axis while clientip takes the x-axis. The delay value is broken out by host. After you run this search, format the report as a stacked bar chart.

sourcetype=access_* | chart sum(bytes) over clientip by host

Example 2: Create a stacked bar chart that splits out the http and https requests hitting your servers.

To do this, first create ssl_type, a search-time field extraction that contains the inbound port number or the incoming URL request, assuming that it is logged. The finished search would look like this:

sourcetype=access_* | chart count over ssl_type

After you run the search, format the results as a stacked bar chart.

Last modified on 13 December, 2017
Create time-based charts   Visualize field value highs and lows

This documentation applies to the following versions of Splunk Cloud Platform: 8.2.2112, 8.2.2201, 8.2.2202, 8.2.2203, 9.0.2205, 9.0.2208, 9.0.2209, 9.0.2303, 9.0.2305, 9.1.2308, 9.1.2312, 9.2.2403, 9.2.2406 (latest FedRAMP release), 9.3.2408


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters