thanks, it works, just want to ask when use chart and when use table
i tried table sum(price) by date, product not work.

Thanks

"Table" and "Chart" have very specific meanings in Splunk.

If you create a table with the table command, it does not do anything fancy - it doesn't sum, count or do "work". Instead, all it does is tell Splunk which fields (that already exist) you'd like to display.

The chart command is a whole different kind of command. It's related to the timechart, stats and other commands. They "transform" the output entirely, summarizing rows, calculating averages, or otherwise taking X number of events and making a smaller set of Y information out of them.

You often use the two sets of commands together.

As a sort of silly example, if you run

(your search)|chart sum(price) by date,product

You will get the fields (columns) in a certain order with the sum of price last. If you wanted, say, the sum of the price to be the first column, you could rearrange those results with 'table', like

(your search)|chart sum(price) by date,product | table sum(price), date, product

There's better ways to do that, but I thought an example that you can already run would be the most useful. Try changing the order of the items in the table command to see what effect they have.

So to put it all together and specifically answer your comment, when you tried to replace the chart with table, the field you wanted to display sum(price no longer existed, because table can't MAKE a field like that, it it only a way to change HOW a field like that may be displayed.

Does that help?

Happy Splunking!
-Rich

Also, I believe the Splunk education course "Fundamentals I" is free to take for everyone - You should do that! It's a great course, go at your own pace, takes about a work-day's worth of work, but should really help with some of this stuff!

Just go here to the Splunk Education pages, sign up for the course, and start Splunking! (And no, they don't really spam your email or anything). BTW that link seems pretty specifically for the "most recent" Edu page, so it may change if you are reading this post in 2018 or later. In that case, just go to Splunk.com and click the "Education" link in the top right menu.

i registered the free course before but didnt finish within 30day, how can i restart the course?

You can not use stats commands with table you could use |stats sum(price) as price by date product but the products would be in ine column and not in multiple columns, and the chart wouldn’t be right. The trick is if you are going to have a multi-series chart, use chart Or timechart Otherwise, stats will work