Splunk Cloud Platform

Dashboards and Visualizations with Simple XML

Data structure requirements for visualizations

Visualizations require search results in specific formats or data structures. Write queries to generate results in the correct format for the visualization that you are building.

This topic provides an overview of data structures for visualizations. To learn about requirements for a specific visualization and how to generate results in the correct format, see one of the following topics.

Events list
Using events lists
Table visualizations
Generate a table
Pie chart
Column and bar charts
Line and area charts
Scatter chart
Bubble chart
Single value
Generate a single value
Using gauges
Mapping Data

For an overview of visualization options, see the Visualization Reference in this manual.

Data and formatting requirements

Depending on the visualization that you are creating, you can use specific search commands to generate results in the correct format. For example, many visualizations require a search using transforming commands, such as stats, chart, timechart, or geostats to render.

Charts visualize one or more data series, or related data points. Depending on the chart type or complexity, the number and ordering of data series can vary.

Single value and gauge visualizations represent a single numerical value.

Maps combine a query and other data components, including data with coordinates or place information, lookup definitions, and geographical markup files.

Using the statistics table

When creating a visualization, you can check the Statistics table after running a search to make sure that result fields are generated correctly. The number and order of Statistics table columns show you the data structure that a search generated.

Additional information

Review specific visualization topics to check data format requirements and query recommendations.

To learn more about search commands that can generate visualizations, see the following topics.

Last modified on 10 June, 2019
Visualization reference   Using events lists

This documentation applies to the following versions of Splunk Cloud Platform: 8.2.2112, 8.2.2201, 8.2.2202, 9.0.2205, 8.2.2203, 9.0.2208, 9.0.2209, 9.0.2303, 9.0.2305, 9.1.2308 (latest FedRAMP release), 9.1.2312, 9.2.2403

Was this topic useful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters