Data visualization library
This topic is a quick reference for the data visualizations available in Splunk Light.
Event visualizations are a list of raw events. You get event visualizations from any search that does not include a transform operation. For example, a search for a set of terms and field values returns a list of events.
error OR failed OR severe OR ( sourcetype=access_* ( 404 OR 500 OR 503 ) )
With event visualizations, you can:
- Determine the number of events listed.
- Determine whether numbers appear to the left of each panel.
- Have event text wrap to fit within the dashboard panel.
If you add a transforming command, such as
top, you get statistical results that you can present either as a table or a chart.
You can generate table visualizations from just about any search. However, searches that include transform operations such as
timechart, generate more interesting tables.
For table visualizations you can do the following:
- Set the number of table rows to display.
- Display row numbers.
- Add data overlays that provide additional visual information, such as heat maps or high/low value indicators.
Sparklines in tables
You can configure table visualizations to display sparklines. Sparklines show hidden patterns in data that might otherwise be hard to identify in table results. They can increase the usefulness and overall information density of tables in reports and dashboards.
To use sparklines, the underlying search has to use the
chart transforming commands. You add the
sparklines function to those commands to add a sparkline column to the table.
You can choose from a variety of chart visualizations, such as column, line, area, scatter, and pie charts. These visualizations require transforming searches whose results involve one or more series.
A series is a sequence of related data points that can be plotted on a chart. For example, each line plotted on a line chart represents an individual series. You can design transforming searches that produce a single series, or you can set them up so the results provide data for multiple series.
Consider a table that a transforming search generates. Each column in the table after the first column represents a different series. A "single series" search produces a table with only two columns, while a "multiple series" search produces a table with three or more columns.
All chart visualizations can display single-series searches. However the bar, column, line, and pie chart visualizations usually display the data best. Pie charts can only display data from single series searches.
If a search produces multiple series, bar, column, line, area, and scatter chart visualizations display the data best.
Column and bar charts
Use a column chart or bar chart to compare the frequency of values of fields in your data. In a column chart, the x-axis values are typically field values. If the search uses the timechart transforming command, the x-axis represents time. The y-axis can be any other field value, count of values, or statistical calculation of a field value. Column charts and bar charts represent data similarly, except that the x-axis and y-axis values are reversed.
Line and area charts
Use line and area charts to show data trends over time. You can use the x-axis to represent any field value other than time. If you chart includes more than one series, a different color represents each line or area. Shaded areas in area charts help emphasize quantities.
When a base searches involves more than one data series, you can use stacked column and stacked bar charts to compare the frequency of field values in your data. Stacked line and area charts are useful when charting several series, making it easier to see how each data series relates to the entire set of data as a whole.
In an unstacked column chart, the columns for different series appear alongside each other. An unstacked column chart is useful for relatively simple search results.
A stacked column chart displays all the series columns for a single data point as segments of a single column. The total value of the column is the sum of the segments. You can use a stacked column or bar chart to highlight the relative weight, or importance, of the different types of data that make up a specific data set.
100 per cent stacked charts
You can use 100% stacked charts to compare data distributions within a column or bar chart by percentage of the column or bar size. Each segment of data in the column or bar represents the percentage of all the data available.
Stacked 100% is useful to better see data distributions between segments in a column or bar chart that contains a mix of very small and very large segments.
Use a pie chart to show the relationship of parts of your data to the entire set of data as a whole. The size of a slice in a pie graph shows the value of the data represented by the slice as a percentage of the sum of all values.
Use a scatter chart, also known as scatter plot, to show trends in the relationships between discrete values of data. A scatter plot shows discrete values that do not occur at regular intervals or belong to a series. This differs from a line graph, which plots a regular series of points.
A bubble chart provides a visual way to view a three dimensional series. Each point, or bubble, plots against two dimensions on the X and Y axes of the chart. The size of the bubble represents the value for the third dimension
Single value visualizations
Single value displays and gauges display the results of a transforming search that returns a single value. For example, a search that returns the total count of events for a specific set of search criteria. There are various ways to make searches return a single values. One example is to combine the top command with head=1.
Single value display
The single value visualization displays the result of a search that returns a single numerical value. If you base the visualization on a real-time search that returns a single value, the number displayed changes as the search interprets incoming data.
index=_internal source="*splunkd.log" log_level="error" | stats count as errors | rangemap field=errors low=0-3 elevated=4-20 default=severe
You can configure a single value display visualization to change color depending on where the returned value falls within a defined range. Use the
rangemap search command to define the range in the underlying search. You can also configure the range map for a single value visualization with the Panel Editor. By default, a single value visualization uses the following range map configuration:
- low: green
- elevated: yellow
- severe: red
Gauge visualizations map a single numerical value against a range of colors that may have particular business meaning or logic. Gauges use range maps, as described in the single value visualization], to define color ranges. As a value changes over time, the gauge marker changes position within this range.
Gauges provide a dynamic visualization for real-time searches, where the value returned fluctuates as events are returned, causing the gauge marker to visibly bounce back and forth within the range.
You can choose from three types of gauge visualizations: radial, filler, and marker. The gauge examples below use the same base search:
index=_internal source="*splunkd.log" log_level="error" | stats count as errors
The radial gauge type looks like a speedometer or pressure valve gauge. It has an arced range scale and a rotating needle. Use a range map, as described for a single value visualization, to define color ranges for the radial gauge.
The current value of the needle displays at the bottom of the gauge. In the example below, the value is 17. If the value falls below or above the specified minimum or maximum range, the needle "flutters" at the upper or lower boundary, as if it is straining to move past the limits of the range.
The following examples shows the "shiny" and "minimal" version of the radial gauge:
The filler gauge is similar to a thermometer, with a filler indicator that changes color as it rises and passes gauge range boundaries. Use a range map, as described for a single value visualization, to define color ranges for the filler gauge.
The following examples shows the "shiny" and "minimal" version of the filler gauge:
The marker gauge is a linear version of the filler gauge. A gauge marker rests at the value returned by the search. Use a range map, as described for a single value visualization, to define color ranges for the marker gauge.
If the gauge displays the results of a real-time search, the marker can appear to slide back and forth across the range as the returned value fluctuates over time. If the returned value falls outside of the upper or lower ranges of the marker gauge, the marker appears to vibrate at the upper or lower boundary, as if it is straining to move past the limits of the range.
Marker gauges have display issues with numbers exceeding 3 digits in length. To manage this, you can set up a search that divides a large number by a factor that reduces it to a smaller number. For example, if the value returned is typically in the tens of thousands, set your search so the result is divided by 1000. Then a result of 19,100 becomes 19.1.
You can also deal with large numbers by setting the chart configuration options to return the range as a percentage.
use the gauge command to set the ranges
You can use the
gauge command to set custom ranges for a gauge visualization.
gauge command lets you set the gauge ranges using default colors. The default three colors, in order of the ranges, are green, yellow, and red. With
gauge, you indicate the field to track with the gauge. Then add "range values" to the search string to indicate the beginning and end of the range as well as the relative sizes of the color bands within it.
For example, to set up a gauge that tracks a
hitcount field value with the ranges 100-119, 120-139, 140-159, 160-179, and 180-200, add this to your search string:
...| gauge hitcount 100 120 140 160 180 200
If you do not include the
gauge command in your search or include it but fail to specify range values, the range values default to these values:
0 30 70 100.
Splunk Enterprise provides a map visualization that lets you plot geographic coordinates as interactive markers on a world map. Searches for map visualizations typically use the
geostats search command to plot markers on a map. The
geostats command is similar to the
stats command, but provides options for zoom levels and cells for mapping. The
geostats command generates events that include latitude and longitude coordinates for markers.
About data visualizations
This documentation applies to the following versions of Splunk® Light (Legacy): 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6