Hi @anna,

The chart, timechart, xyseries, and tstats commands all produce output suitable for a run chart, depending on our source events.

The chart and timechart commands bin _time into spans automatically or using the span size we specify:

index=web sourcetype=access_common
| chart limit=0 usenull=false count over _time span=1h by status

index=web sourcetype=access_common
| timechart limit=0 span=1h usenull=false count by status

Note that the timechart command pads the results with empty bins spanning our search time range. To remove extraneous bins, set the fixedrange argument to false:

| timechart fixedrange=false limit=0 span=1h usenull=false count by status

The xyseries command first requires binning _time using the bin command and then aggregating status values using the stats command. Like the chart and timechart commands, the bin command bins the target field into spans automatically or using the span size we specify; however, the stats command does not generate empty bins. We use the makecontinuous command after the xyseries command to add missing _time bins:

index=web sourcetype=access_common
| bin _time span=1h
| stats count by _time status
| xyseries _time status count
| makecontinuous _time
| fillnull value=0

The tstats command is similar to the stats command but works with indexed fields or terms and data models. We can pipe the output through either the timechart command or the xyseries command to group events by status over _time.

| tstats prestats=true count from datamodel=Web.Web by _time Web.status
| rename Web.* as *
| timechart limit=0 span=1h usenull=false count by status

Like the chart and timechart commands, the tstats command normally bins _time into spans automatically or using the span size we specify; however, when using a datamodel without the prestats argument, specify a span:

| tstats count from datamodel=Web.Web by _time span=1h Web.status
| rename Web.* as *
| xyseries _time status count
| makecontinuous _time
| fillnull value=0

If the status field is indexed, the tstats command can reference it directly:

| tstats prestats=true count where index=web sourcetype=iis by _time sc_status
| rename sc_status as status
| timechart limit=0 span=1h usenull=false count by status

If the status field and value appear in _raw as a key-value pair not separated by a major breaker, we can use the PREFIX() directive to access the status value as if it were indexed.

Given events like the following:

Nov 23 12:00:00 my_server my_app[1234]: c_ip=192.0.2.1 request="GET /favicon.ico" status=500 bytes=1024

we can execute:

| tstats prestats=true count where index=web sourcetype=access_common by _time PREFIX(status=)
| rename status= as status
| timechart limit=0 span=1h usenull=false count by status

The prestats argument in these examples instructs the tstats command to produces results suitable for the chart, stats, and timechart commands. The prestats argument is not required, but it allows subsequent commands to work as they would following other generating commands. The most common generating command is the search command, which we use implicitly in every search that doesn't begin with a pipe.

We can find more information on breakers, the tstats command, and the PREFIX() directive in the Splunk documentation.

Irrespective of the method used to count events, we can add a total field by piping the results through the addtotals command:

index=web sourcetype=access_common
| timechart limit=0 span=1h usenull=false count by status
| addtotals fieldname="total requests"

We can filter status values while retaining a total request count in two (or more!) ways: 1) group status values before aggregating or 2) filter status values after aggregating.

We can use the eval and appendpipe commands to group status values and calculate total requests over _time:

index=web sourcetype=access_common
| eval status=if(status>=400, status, "other")
| bin _time span=1m
| stats count by _time status
| appendpipe
[| stats sum(count) as count by _time
| eval status="total requests" ]
| where status!="other"
| xyseries _time status count
| fillnull value=0

We can use the untable command to filter status values after aggregating:

index=web sourcetype=access_common
| timechart limit=0 span=1h usenull=false count by status
| addtotals fieldname="total requests"
| untable _time status count
| where status>=400 OR status=="total requests"
| xyseries _time status count
| makecontinuous _time
| fillnull value=0

The makecontinuous command isn't required following the timechart command, but it's included here as a failsafe.

As @gcusello  and @PickleRick noted, we use the Line Chart visualization to produce a run chart and then save the visualization to a new or existing dashboard. We can also create the Line Chart directly using the classic and Dashboard Studio editors.

All of the examples used above produce a chart similar to the following (shown in log scale):

In the Simple XML Line Chart visualization, the points on the lines and the legend entries are drill-down targets. We can access the status value using the click.name2 token and the context-sensitive time range using the earliest and latest tokens:

<form version="1.1" theme="light">
  <label>Drilldown Example</label>
  <fieldset submitButton="false">
    <input type="time" token="time_tok" searchWhenChanged="true">
      <label>Time</label>
      <default>
        <earliest>-60m@m</earliest>
        <latest>now</latest>
      </default>
    </input>
  </fieldset>
  <row>
    <panel>
      <title>Volumes</title>
      <chart>
        <search>
          <query>index=web sourcetype=access_common
| timechart limit=0 span=1h usenull=false count by status
| addtotals fieldname="total requests"
| untable _time status count
| where status>=400 OR status=="total requests"
| xyseries _time status count
| makecontinuous _time 
| fillnull value=0</query>
          <earliest>$time_tok.earliest$</earliest>
          <latest>$time_tok.latest$</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="charting.axisTitleX.text">t</option>
        <option name="charting.axisTitleY.text">#</option>
        <option name="charting.axisY.scale">log</option>
        <option name="charting.chart">line</option>
        <option name="charting.drilldown">all</option>
        <option name="refresh.display">progressbar</option>
        <drilldown>
          <link target="_blank">search?q=index%3Dweb%20sourcetype%3Daccess_common%20status%3D%22$click.name2$%22&amp;earliest=$earliest$&amp;latest=$latest$</link>
        </drilldown>
      </chart>
    </panel>
  </row>
</form>

Clicking the "total requests" series will generate the following search, which will return no results:

index=web sourcetype=access_common status="total requests"

We can handle this case using condition elements within the drilldown element:

<drilldown>
  <condition match="$click.name2$ == &quot;total requests&quot;">
    <link target="_blank">search?q=index%3Dweb%20sourcetype%3Daccess_common%20status%3D*&amp;earliest=$earliest$&amp;latest=$latest$</link>
  </condition>
  <condition match="$click.name2$ != &quot;total requests&quot;">
    <link target="_blank">search?q=index%3Dweb%20sourcetype%3Daccess_common%20status%3D%22$click.name2$%22&amp;earliest=$earliest$&amp;latest=$latest$</link>
  </condition>
</drilldown>

Clicking the "total requests" series will now generate the following search:

index=web sourcetype=access_common status=*

Note that using a custom link target allows us to use any of the example searches shown above assuming the underlying events share the same index and source type. Data models, tags, default search indexes, and other configuration techniques can help standardize or simplify our approach to searching data.

Dashboard Studio (not shown) provides similar functionality; however, conditional drilldowns to custom URLs are not supported.

(Thank you for coming to my TED Talk. Disclaimer: Not a TED Talk. I hope this was helpful! I write these responses as an exercise for myself as well.)