Create charts that are not (necessarily) time-based
This topic discusses using the transforming command, chart, to create visualizations that are not time-based.
The chart command
The chart command returns your results in a data structure that supports visualization of your data series as a chart such as a column, line, area, and pie chart.
Unlike the timechart
command, which uses the _time
default field as the x-axis, charts created with the chart
command use an arbitrary field as the x-axis. With the chart command, you use the over
keyword to determine what field takes the x-axis.
Examples
Example 1: Use web access data to show you the average count of unique visitors over each weekday.
sourcetype=access_* | chart avg(clientip) over date_wday
One of the options you have is to split the data by another field, meaning that each distinct value of the "split by" field is a separate series in the chart. If your search includes a "split by" clause, place the over
clause before the "split by" clause.
The following report generates a chart showing the sum of kilobytes processed by each clientip
within a given timeframe, split by host
. The finished chart shows the bytes
value taking the y-axis while clientip
takes the x-axis. The delay value is broken out by host. After you run this search, format the report as a stacked bar chart.
sourcetype=access_* | chart sum(bytes) over clientip by host
Example 2: Create a stacked bar chart that splits out the http and https requests hitting your servers.
To do this, first create ssl_type
, a search-time field extraction that contains the inbound port number or the incoming URL request, assuming that it is logged. The finished search would look like this:
sourcetype=access_* | chart count over ssl_type
After you run the search, format the results as a stacked bar chart.
Create time-based charts | Visualize field value highs and lows |
This documentation applies to the following versions of Splunk Cloud Platform™: 8.2.2112, 8.2.2201, 8.2.2202, 8.2.2203, 9.0.2205, 9.0.2208, 9.0.2209, 9.0.2303, 9.0.2305, 9.1.2308, 9.1.2312, 9.2.2403, 9.2.2406 (latest FedRAMP release), 9.3.2408
Feedback submitted, thanks!