Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Can someone provide the most simple example possible of using the chart command?

rogue_carrot
Communicator
‎08-01-2018 02:59 PM

Hello!

I am reading the documentation here: http://docs.splunk[dot]com/Documentation/Splunk/7.1.2/SearchReference/CommonStatsFunctions

I was hoping that after reading through this I would be able to use some of these functions/commands. I tried to Google to find simpler examples but did not come up with anything. Can someone please provide the most simple example possible of using the chart command?

For instance I am trying to find the number of errors for each month. I have the following search:

host="localhost" sourcetype=alert_DBMS | chart values(date_month)

This does not show anything useful though. Any tips splunk land?

I also have this search which does show a chart but the chart is useless. The chart is shown below in Figure 1. 

host="localhost" sourcetype=alert_DBMS | chart count by date_hour, date_wday

Useless chart returned by my dumb splunk query
Figure 1: Useless chart created with very limited SPL skills

Finally, does anyone have a link to more readable documentation? I think the documentation is info overload with links to more links to more links... a confusing frustrating experience. A Head First type of documentation website would be ideal.

Regards,

rogue_carrot

Preview file
1 KB
Reply
1 Solution
Solved! Jump to solution
Solution

DalJeanis
Legend
‎08-01-2018 09:32 PM

I'm going to give you what you asked for, but I think you really just need to understand all the different visualizations that are available. Your particular search would be much better off using the basic "timechart" command.

 host="localhost" sourcetype=alert_DBMS | timechart count

if you had more than one value for host (or some other field) you could get multiple lines on a single timechart...

 host=* sourcetype=alert_DBMS | timechart count by host

Now, the commands that can produce good output for making visualizations (various kinds of charts) are :

timechart, which we've shown you above and is useful for a time-based visualization;

stats, which is the first tool in your tool belt, and which can chew up data in pretty much any way you can imagine, and which throws away the underlying events, so anything that you don't explicitly use in the command is GONE;

eventstats, which does the same thing as stats but then adds the relevant results to each event rather than throwing the events away;

streamstats, which uses the same aggregate commands as stats but processes the records in the order they arrive, and only sees what has gone before, and which adds the relevant results to each event rather than throwing the events away;

chart, which produces a matrix by two fields, with the first field named giving the values for each row, and the second field named giving the values for the column.

Notice, the stats family can have any number of by fields, but chart must have only one or two. For timechart you get _time and any number of calculated fields. It also has some other bells and whistles but I don't want to confuse you with that right now.

On to the chart example you asked for.

Here's a simple, run-anywhere search that will produce a decent chart...

| makeresults 
| eval mydata="sam:[oranges,5][bananas,7][grapes,37][apples,19]!!!!david:[oranges,12][grapes,15][pears,19]!!!!olivia:[guanabanas,3][bananas,4][papayas,2][apples,2]" 
| makemv delim="!!!!" mydata 
| mvexpand mydata
| rex field=mydata "^(?<name>\w*):"
| rex field=mydata max_match=0 "\[(?<fruit>\w*,\w*)\]"
| mvexpand fruit
| rex field=fruit "^(?<fruitname>\w*),(?<fruitcount>\w*)$"
| table name fruitname fruitcount
| rename COMMENT as "everything above this just creates test data"

Results 

sam     oranges     5
sam     bananas     7
sam     grapes     37
sam     apples     19
david   oranges    12
david   grapes     15
david   pears      19
olivia  guanabanas  3
olivia  bananas     4
olivia  papayas     2
olivia  apples      2

Now the chart command...

| chart sum(fruitcount) over fruitname by name

Results:

fruitname   david   olivia   sam
apples                  2     19
bananas                 4      7
grapes         15             37
guanabanas              3    
oranges        12              5
papayas                 2    
pears          19

As you can see, the chart command actually produces a particular kind of table, with one field values along the top to label each column, and one along the left side to label each row.

Now, if you want a pie chart, you could do

... how many total fruits each person has...

| stats sum(fruitcount) as totalfruits by name

... how many of each fruit there are...

| stats sum(fruitcount) as totalfruits by fruitname

... how many different fruit each person has

| stats dc(fruitname) as fruittypes by name

... how many different people have each fruit

| stats dc(name) as peoplecount by fruitname

... the highest number of each fruits that any person has

| stats max(fruitcount) as maxcount by fruitname

And any of the above could be switched from a pie chart to a bar chart and will work just fine.

View solution in original post

Reply
Solved! Jump to solution

Shan
Builder
‎08-01-2018 09:37 PM

@ rogue_carrot 

| gentimes start=06/23/2014 end=07/23/2014 increment=1d  | chart eval(sum(starttime)/max(endtime)) as calculation max(starttime) min(starttime)   BY starthuman

I believe you have already taken look into below url. If not please take a look into it .. And let me know what functionality in this chart you need to us in your query .. So i can help you 🙂 .

http://docs.splunk.com/Documentation/Splunk/7.1.2/SearchReference/Chart

0 Karma
Reply
Solved! Jump to solution

rogue_carrot
Communicator
‎08-14-2018 03:22 PM

Thank-you for providing an example. I copy and pasted your SPL into my Splunk instance and was surprised that some results were returned. Your SPL is way over my head... Something simpler would be very appreciated.

0 Karma
Reply
Solved! Jump to solution
Solution

DalJeanis
Legend
‎08-01-2018 09:32 PM

I'm going to give you what you asked for, but I think you really just need to understand all the different visualizations that are available. Your particular search would be much better off using the basic "timechart" command.

 host="localhost" sourcetype=alert_DBMS | timechart count

if you had more than one value for host (or some other field) you could get multiple lines on a single timechart...

 host=* sourcetype=alert_DBMS | timechart count by host

Now, the commands that can produce good output for making visualizations (various kinds of charts) are :

timechart, which we've shown you above and is useful for a time-based visualization;

stats, which is the first tool in your tool belt, and which can chew up data in pretty much any way you can imagine, and which throws away the underlying events, so anything that you don't explicitly use in the command is GONE;

eventstats, which does the same thing as stats but then adds the relevant results to each event rather than throwing the events away;

streamstats, which uses the same aggregate commands as stats but processes the records in the order they arrive, and only sees what has gone before, and which adds the relevant results to each event rather than throwing the events away;

chart, which produces a matrix by two fields, with the first field named giving the values for each row, and the second field named giving the values for the column.

Notice, the stats family can have any number of by fields, but chart must have only one or two. For timechart you get _time and any number of calculated fields. It also has some other bells and whistles but I don't want to confuse you with that right now.

On to the chart example you asked for.

Here's a simple, run-anywhere search that will produce a decent chart...

| makeresults 
| eval mydata="sam:[oranges,5][bananas,7][grapes,37][apples,19]!!!!david:[oranges,12][grapes,15][pears,19]!!!!olivia:[guanabanas,3][bananas,4][papayas,2][apples,2]" 
| makemv delim="!!!!" mydata 
| mvexpand mydata
| rex field=mydata "^(?<name>\w*):"
| rex field=mydata max_match=0 "\[(?<fruit>\w*,\w*)\]"
| mvexpand fruit
| rex field=fruit "^(?<fruitname>\w*),(?<fruitcount>\w*)$"
| table name fruitname fruitcount
| rename COMMENT as "everything above this just creates test data"

Results 

sam     oranges     5
sam     bananas     7
sam     grapes     37
sam     apples     19
david   oranges    12
david   grapes     15
david   pears      19
olivia  guanabanas  3
olivia  bananas     4
olivia  papayas     2
olivia  apples      2

Now the chart command...

| chart sum(fruitcount) over fruitname by name

Results:

fruitname   david   olivia   sam
apples                  2     19
bananas                 4      7
grapes         15             37
guanabanas              3    
oranges        12              5
papayas                 2    
pears          19

As you can see, the chart command actually produces a particular kind of table, with one field values along the top to label each column, and one along the left side to label each row.

Now, if you want a pie chart, you could do

... how many total fruits each person has...

| stats sum(fruitcount) as totalfruits by name

... how many of each fruit there are...

| stats sum(fruitcount) as totalfruits by fruitname

... how many different fruit each person has

| stats dc(fruitname) as fruittypes by name

... how many different people have each fruit

| stats dc(name) as peoplecount by fruitname

... the highest number of each fruits that any person has

| stats max(fruitcount) as maxcount by fruitname

And any of the above could be switched from a pie chart to a bar chart and will work just fine.

Reply
Solved! Jump to solution

rogue_carrot
Communicator
‎08-14-2018 03:18 PM

Thank-you for providing the in-depth answer. I went through it and learned some stuff. I was hoping for even simpler ways to use the chart command but I think you have some useful examples.

Reply
Get Updates on the Splunk Community!

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...

Alerting Best Practices: How to Create Good Detectors

At their best, detectors and the alerts they trigger notify teams when applications aren’t performing as ...

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...

Hey Splunky people! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2408. In this ...