This week, let’s chat about chart command.
The chart command is a transforming search command that allows you to put your data into a graphical visualization and like the stats command, the chart command can perform statistical functions such count, avg, min, max, etc. Chart command is going to be most utilized when you have fields that you want to build your chart with that do not involve time. Timechart and chart are similar. However, when you use the timechart command, your charts x-axis value is always going to represent time. With chart command, you can represent the x-axis using the over clause with any field you specify.
Chart in Action
Let’s check out this dataset reviewing the ratings from IMBd on Netflix TV shows and movies.
Over and By Clause
Here’s an example of chart command and the over clause in action.
Figure 1 – Chart command and the over clause
Notice that the x-axis is represented by the Age field. This is a product of using the over clause and letting Splunk know that you want Age to be on the x-axis. The chart command also allows you to manipulate the y-axis by using the by clause.
Here is an example of using the over clause and the by clause together. You can see the chart broken down over Age by IMDb which is the ratings of those movies in that specific age group.
Figure 2 – Chart command and the over clause and by clause
Remove NULL and OTHER
The legend on the right-hand side has all the ratings in different colors. You’ll also see two values you may not necessarily be interested in… NULL and OTHER. Chart and timechart commands automatically filter results to include the ten highest values while the surplus values are grouped into the OTHER category. In this particular search, our results are skewed by the NULL and OTHER values.
To remove the NULL and OTHER values, you will use these two arguments “useother=f & usenull=f”. After applying the useother=f and usenull=f, you get the results you see below. You can see how the data looks better and cleaner without the OTHER and NULL values.
Figure 3 – Remove NULL and OTHER from your chart legend
The Limit Argument
If you want to adjust the number of series that Splunk returns back, use the limit argument. With limit, specify how many values you’d like Splunk to return with. If you want Splunk to return an unlimited amount of values, use limit=0. Let’s take a look at this in action. After applying the limit argument of 20, this is what Splunk brings back.
Figure 4 – Chart command series limit of 20
Next, let’s take a see what an unlimited amount of values looks like.
Figure 5 – Chart command series unlimited
There you have it. Splunk has brought back all of the IMDb ratings associated with the movies in each age group. Now, you’ve seen chart command in action and its visualization options.
Ask the Experts
Our Splunk Search Command of the Week series is created by our Expertise on Demand (EOD) experts. Every day, our team of Splunk certified professionals works with customers through Splunk troubleshooting support, including Splunk search command best practice. If you’re interested in learning more about our EOD service or chat with our team of experts, fill out the form below!
