sichart
Summary indexing is a method you can use to speed up long-running searches that do not qualify for report acceleration, such as searches that use commands that are not streamable before the reporting command. For more information, see "About report accelleration and summary indexing" and "Use summary indexing for increased reporting efficiency" in the Knowledge Manager Manual.
Description
The summary indexing version of the chart
command. The sichart
command populates a summary index with the statistics necessary to generate a chart visualization. For example, it can create a column, line, area, or pie chart. After you populate the summary index, you can use the chart
command with the exact same search that you used with the sichart
command to search against the summary index.
Syntax
Required syntax is in bold.
- sichart
- [sep=<string>]
- [format=<string>]
- [cont=<bool>]
- [limit=<int>]
- [agg=<stats-agg-term>]
- ( <stats-agg-term> | <sparkline-agg-term> | "("<eval-expression>")" )...
- [ BY <field> [<bins-options>... ] [<split-by-clause>] ] | [ OVER <field> [<bins-options>...] [BY <split-by-clause>] ]
For syntax descriptions, refer to the chart command.
Usage
Supported functions
You can use a wide range of functions with the sichart
command. For general information about using functions, see Statistical and charting functions.
- For a list of functions by category, see Function list by category
- For an alphabetical list of functions, see Alphabetical list of functions
Examples
Example 1:
Compute the necessary information to later do 'chart avg(foo) by bar' on summary indexed results.
... | sichart avg(foo) by bar
See also
chart, collect, overlap, sirare, sistats, sitimechart, sitop
setfields | sirare |
This documentation applies to the following versions of Splunk Cloud Platform™: 8.2.2112, 8.2.2201, 8.2.2202, 8.2.2203, 9.0.2205, 9.0.2208, 9.0.2209, 9.0.2303, 9.0.2305, 9.1.2308, 9.1.2312, 9.2.2403 (latest FedRAMP release), 9.2.2406
Feedback submitted, thanks!