Treemap

Treemap

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Create a treemap query

To generate a treemap, write a query that returns events in the correct data format.

Query syntax

To generate a treemap visualization, use this query syntax.

... | stats <stats_function>(<metric_field>) [<stats_function>(<color_field>)] by <parent_category_field> <child_category_field>


Query components

A treemap query includes the following components.

metric_field

  • Required
  • Determines rectangle size.
  • Indicates which field to use for the metric in each event. For example, the data might include a cost field for each expense event.


color_field

  • Optional
  • Determines the rectangle color.
  • If not specified, the parent category determines rectangle color. Each parent category gets a different color in this case.
  • If specified, two cases are possible.
    • If a category field is used, then a categorical color scale is applied to the treemap.
    • If a non-categorical field is used, then a linear numerical color scale is applied to the treemap.


parent_category_field

  • Required
  • Use the field that indicates parent category in each event. For example, the data might include an expense_group field to indicate an expense category.


child_category_field

  • Required
  • Use the field that indicates the child category in each event. For example, the data might include an expense_subgroup field to indicate a particular expense type.


Search result data formatting

The treemap query syntax returns results in a table with multiple columns. Columns represent data for rectangle parent and child categories, size, and color.

Check the Statistics tab after running a query to make sure that the results table includes the correct columns in the required order.

Results table columns

First Second Third Fourth
Parent category Child category Rectangle size Rectangle color


Query example

Here is part of a query tracking files and directories.

... | stats sum(size) as size by parent_directory, child_directory

The query generates a results table with columns for the parent_directory, child_directory, and size fields. An optional color field is left out.

Custom viz treemap results table.png

Last modified on 12 August, 2016
PREVIOUS
Treemap installation
  NEXT
Treemap components

This documentation applies to the following versions of Treemap: 1.0.0, 1.0.1, 1.1.0, 1.1.1, 1.2.0, 1.3.0, 1.4.0, 1.5.0


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters