Dashboards & Visualizations

Can someone provide the most simple example possible of using the chart command?

rogue_carrot
Communicator

Hello!

I am reading the documentation here: http://docs.splunk[dot]com/Documentation/Splunk/7.1.2/SearchReference/CommonStatsFunctions

I was hoping that after reading through this I would be able to use some of these functions/commands. I tried to Google to find simpler examples but did not come up with anything. Can someone please provide the most simple example possible of using the chart command?

For instance I am trying to find the number of errors for each month. I have the following search:

host="localhost" sourcetype=alert_DBMS | chart values(date_month) 

This does not show anything useful though. Any tips splunk land?

I also have this search which does show a chart but the chart is useless. The chart is shown below in Figure 1.

host="localhost" sourcetype=alert_DBMS | chart count by date_hour, date_wday

Useless chart returned by my dumb splunk query
Figure 1: Useless chart created with very limited SPL skills

Finally, does anyone have a link to more readable documentation? I think the documentation is info overload with links to more links to more links... a confusing frustrating experience. A Head First type of documentation website would be ideal.

Regards,

rogue_carrot

1 Solution

DalJeanis
Legend

I'm going to give you what you asked for, but I think you really just need to understand all the different visualizations that are available. Your particular search would be much better off using the basic "timechart" command.

 host="localhost" sourcetype=alert_DBMS | timechart count

if you had more than one value for host (or some other field) you could get multiple lines on a single timechart...

 host=* sourcetype=alert_DBMS | timechart count by host

Now, the commands that can produce good output for making visualizations (various kinds of charts) are :

timechart, which we've shown you above and is useful for a time-based visualization;

stats, which is the first tool in your tool belt, and which can chew up data in pretty much any way you can imagine, and which throws away the underlying events, so anything that you don't explicitly use in the command is GONE;

eventstats, which does the same thing as stats but then adds the relevant results to each event rather than throwing the events away;

streamstats, which uses the same aggregate commands as stats but processes the records in the order they arrive, and only sees what has gone before, and which adds the relevant results to each event rather than throwing the events away;

chart, which produces a matrix by two fields, with the first field named giving the values for each row, and the second field named giving the values for the column.

Notice, the stats family can have any number of by fields, but chart must have only one or two. For timechart you get _time and any number of calculated fields. It also has some other bells and whistles but I don't want to confuse you with that right now.

On to the chart example you asked for.


Here's a simple, run-anywhere search that will produce a decent chart...

| makeresults 
| eval mydata="sam:[oranges,5][bananas,7][grapes,37][apples,19]!!!!david:[oranges,12][grapes,15][pears,19]!!!!olivia:[guanabanas,3][bananas,4][papayas,2][apples,2]" 
| makemv delim="!!!!" mydata 
| mvexpand mydata
| rex field=mydata "^(?<name>\w*):"
| rex field=mydata max_match=0 "\[(?<fruit>\w*,\w*)\]"
| mvexpand fruit
| rex field=fruit "^(?<fruitname>\w*),(?<fruitcount>\w*)$"
| table name fruitname fruitcount
| rename COMMENT as "everything above this just creates test data"

Results

sam     oranges     5
sam     bananas     7
sam     grapes     37
sam     apples     19
david   oranges    12
david   grapes     15
david   pears      19
olivia  guanabanas  3
olivia  bananas     4
olivia  papayas     2
olivia  apples      2

Now the chart command...

| chart sum(fruitcount) over fruitname by name

Results:

fruitname   david   olivia   sam
apples                  2     19
bananas                 4      7
grapes         15             37
guanabanas              3    
oranges        12              5
papayas                 2    
pears          19               

As you can see, the chart command actually produces a particular kind of table, with one field values along the top to label each column, and one along the left side to label each row.


Now, if you want a pie chart, you could do

... how many total fruits each person has...

| stats sum(fruitcount) as totalfruits by name

... how many of each fruit there are...

| stats sum(fruitcount) as totalfruits by fruitname

... how many different fruit each person has

| stats dc(fruitname) as fruittypes by name

... how many different people have each fruit

| stats dc(name) as peoplecount by fruitname

... the highest number of each fruits that any person has

| stats max(fruitcount) as maxcount by fruitname 

And any of the above could be switched from a pie chart to a bar chart and will work just fine.

View solution in original post

Shan
Builder

@ rogue_carrot

| gentimes start=06/23/2014 end=07/23/2014 increment=1d  | chart eval(sum(starttime)/max(endtime)) as calculation max(starttime) min(starttime)   BY starthuman

I believe you have already taken look into below url. If not please take a look into it .. And let me know what functionality in this chart you need to us in your query .. So i can help you 🙂 .

http://docs.splunk.com/Documentation/Splunk/7.1.2/SearchReference/Chart

0 Karma

rogue_carrot
Communicator

Thank-you for providing an example. I copy and pasted your SPL into my Splunk instance and was surprised that some results were returned. Your SPL is way over my head... Something simpler would be very appreciated.

0 Karma

DalJeanis
Legend

I'm going to give you what you asked for, but I think you really just need to understand all the different visualizations that are available. Your particular search would be much better off using the basic "timechart" command.

 host="localhost" sourcetype=alert_DBMS | timechart count

if you had more than one value for host (or some other field) you could get multiple lines on a single timechart...

 host=* sourcetype=alert_DBMS | timechart count by host

Now, the commands that can produce good output for making visualizations (various kinds of charts) are :

timechart, which we've shown you above and is useful for a time-based visualization;

stats, which is the first tool in your tool belt, and which can chew up data in pretty much any way you can imagine, and which throws away the underlying events, so anything that you don't explicitly use in the command is GONE;

eventstats, which does the same thing as stats but then adds the relevant results to each event rather than throwing the events away;

streamstats, which uses the same aggregate commands as stats but processes the records in the order they arrive, and only sees what has gone before, and which adds the relevant results to each event rather than throwing the events away;

chart, which produces a matrix by two fields, with the first field named giving the values for each row, and the second field named giving the values for the column.

Notice, the stats family can have any number of by fields, but chart must have only one or two. For timechart you get _time and any number of calculated fields. It also has some other bells and whistles but I don't want to confuse you with that right now.

On to the chart example you asked for.


Here's a simple, run-anywhere search that will produce a decent chart...

| makeresults 
| eval mydata="sam:[oranges,5][bananas,7][grapes,37][apples,19]!!!!david:[oranges,12][grapes,15][pears,19]!!!!olivia:[guanabanas,3][bananas,4][papayas,2][apples,2]" 
| makemv delim="!!!!" mydata 
| mvexpand mydata
| rex field=mydata "^(?<name>\w*):"
| rex field=mydata max_match=0 "\[(?<fruit>\w*,\w*)\]"
| mvexpand fruit
| rex field=fruit "^(?<fruitname>\w*),(?<fruitcount>\w*)$"
| table name fruitname fruitcount
| rename COMMENT as "everything above this just creates test data"

Results

sam     oranges     5
sam     bananas     7
sam     grapes     37
sam     apples     19
david   oranges    12
david   grapes     15
david   pears      19
olivia  guanabanas  3
olivia  bananas     4
olivia  papayas     2
olivia  apples      2

Now the chart command...

| chart sum(fruitcount) over fruitname by name

Results:

fruitname   david   olivia   sam
apples                  2     19
bananas                 4      7
grapes         15             37
guanabanas              3    
oranges        12              5
papayas                 2    
pears          19               

As you can see, the chart command actually produces a particular kind of table, with one field values along the top to label each column, and one along the left side to label each row.


Now, if you want a pie chart, you could do

... how many total fruits each person has...

| stats sum(fruitcount) as totalfruits by name

... how many of each fruit there are...

| stats sum(fruitcount) as totalfruits by fruitname

... how many different fruit each person has

| stats dc(fruitname) as fruittypes by name

... how many different people have each fruit

| stats dc(name) as peoplecount by fruitname

... the highest number of each fruits that any person has

| stats max(fruitcount) as maxcount by fruitname 

And any of the above could be switched from a pie chart to a bar chart and will work just fine.

rogue_carrot
Communicator

Thank-you for providing the in-depth answer. I went through it and learned some stuff. I was hoping for even simpler ways to use the chart command but I think you have some useful examples.

Get Updates on the Splunk Community!

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...