About transforming commands and searches
To create charts visualizations, your search must transform event data into statistical data tables. These statistical tables are required for charts and other kinds of data visualizations. This section discusses how to use transforming commands to transform event data.
This section describes the major categories of transforming commands and provides examples of how they can be used in a search.
Transforming commands
The primary transforming commands are:
chart
: creates charts that can display any series of data that you want to plot. You can decide what field is tracked on the x-axis of the chart.timechart
: used to create "trend over time" reports, which means that_time
is always the x-axis.top
: generates charts that display the most common values of a field.rare
: creates charts that display the least common values of a field.stats
: generates a report that display summary statistics.
See Transforming commands in the Search Reference to learn more.
Note: As you will see in the following examples, you always place your transforming commands after your search commands, linking them with a pipe operator ( | ).
The chart
, timechart
, and stats
commands are all designed to work with statistical functions. The list of available statistical functions includes:
- count, distinct count
- mean, median, mode
- min, max, range, percentiles
- standard deviation, variance
- sum
- first occurrence, last occurrence
For more information about statistical functions, see Statistical and charting functions in the Search Reference. Some statistical functions only work with the timechart
command.
Note: All searches with transforming commands generate specific data structures. The different chart types require these data structures to be set up in particular ways. For example, not all searches that enable you to generate bar, column, line, and area charts can be used to generate pie charts. See Data structure requirements for visualizations in the Dashboard and Visualizations manual to learn more.
Table, chart, and report examples
The following examples use transforming commands to create tables, charts, and reports:
- Create time based charts
- Create charts that are not (necessarily) time-based
- Create reports that display summary statistics
- Build a chart of multiple data series
Real-time reporting
You can use real-time search to calculate metrics in real time on large incoming data flows without the use of summary indexing. However, because you are reporting on a live and continuous stream of data, the timeline will update as the events stream in and you can only view the table or chart in preview mode. Also, some search commands will be more applicable (for example, streamstats and rtorder) for use in real-time. See About real-time searches and reports.
See also
Change the format of subsearch results | Create time-based charts |
This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.3.0, 9.3.1, 8.1.0, 8.1.10, 8.1.11, 8.1.12
Feedback submitted, thanks!