Using chart to turn data

The chart command is useful for turning data across two dimensions. It is useful for both tables and charts. Let's start with one of our examples from stats:

sourcetype="tm1*" error | chart count over date_month by date_wday

The resulting table looks like this:

If you look back at the results from stats, the data is presented as one row per combination. Instead of a row per combination, chart generates the intersection of the two fields. You can specify multiple functions, but you may only specify one field each for over and by.

Switching the fields (by rearranging our search statement a bit) turns the data the other way.

By simply clicking on the Visualization tab (to the right of the Statistics tab), we can see these results in a chart:

This is an Area chart, with particular format options set. Within the chart area, you can click on Area to change the chart type (Line, Area, Column, Bar, and so on) or Format to change the format options (Stack, Null Values, Multi-series Mode, and Drilldown).

Chart types are pretty self-explanatory, so let's go ahead and take a look at the (chart) Format options. These options are grouped as:

• General: Under general, you have the option to set the Stack Model (which indicates how Splunk will display your chart columns for different series (alongside each other or as a single column), determine how to handle Null Values (you can leave gaps for null data points, connect to zero data points, or just connect to the next positive data point), set the Multi-series mode (Yes or No), and turn Drilldown (active or inactive) on or off.
• X-Axis: Is mostly visual, you can set a custom title, allow truncation of label captions, and set the rotation of the text for your chart labels.
• Y-Axis: Here you can set not just a custom title, but also the scale (linear or log), the interval, and the min and max values.
• Chart Overlay: Here you can set the following options:
  • Overlay: Select a field to show as an overlay.
  • View as Axis: Select On to map the overlay to a second Y-axis.
  • Title: Specify a title for the overlay.
  • Scale: Select Inherit, Linear, or Log. Inherit uses the scale for the base chart. Log provides a logarithmic scale, useful for minimizing the display of large peak values.
  • Interval: Enter the units between tick marks in the axis.
  • Min Value: The minimum value to display. Values less than the Min Value do not appear on the chart.
  • Max Value: The maximum value to display. Values greater than the Max Value do not appear on the chart.
• Legend: Finally, under Legend, you can set Position (where to place the legend (or to not include the legend) in the visualization.) and Truncation (set how to represent names that are too long to display). Keep in mind that, depending on your search results and the visualization options that you select, you may or may not get a useable result. Some experimentation with the various options is recommended.