Use a scatter chart to show relationships between discrete data points. Data point distribution can show trends or relationships across two dimensions.
Scatter charts work best with two data series. Use a transforming command to aggregate values. You can use the
table command with the following syntax to manage result field ordering.
... | table <marker_name_field> <x-axis_field> <y-axis_field>
Check the Statistics tab after running the search to make sure that there are three columns in the Statistics table. You can use the
table command to change the order of the columns if needed.
Use the Format menu to configure one or more of the following scatter chart components.
- Axis titles
- Legend placement and truncation
- Axis scale and interval values
- Axis minimum and maximum values
- Abbreviate y-axis and x-axis numerical values
Create a scatter chart
Review the following details about building column and bar charts.
- Write a search that generates two data series.
- Run the search.
- Select the Statistics tab below the search bar. The statistics table here should have three columns.
- Select the Visualization tab and use the Visualization Picker to select the scatter chart visualization.
- (Optional) Use the Format menu to configure the visualization.
An analyst creates a scatter chart to track recent earthquake locations, magnitude, and depth.
This search generates a Statistics table with three columns. The first column shows earthquake location values. The second column represents earthquake magnitude values, plotted on the x-axis. The third column represents earthquake depth values, plotted on the y-axis.
source="earthquake.csv" | table Region Magnitude Depth
Use Simple XML to build more complex scatter charts. For more information see the Area, Bar, Column, line, and Scatter Charts and Scatter chart specific properties entries in the Chart Configuration Reference.
Line and area charts
This documentation applies to the following versions of Splunk Cloud™: 8.1.2103, 7.2.10, 7.2.4, 7.2.6, 7.2.7, 7.2.9, 7.2.8, 8.0.2006, 8.0.2007, 8.1.2008, 8.1.2009, 8.1.2011, 8.1.2012 (latest FedRAMP release), 8.1.2101