Splunk Search Command of the Week: chart

This week, let’s chat about chart command.

The chart command is a transforming search command that allows you to put your data into a graphical visualization and like the stats command, the chart command can perform statistical functions such count, avg, min, max, etc. Chart command is going to be most utilized when you have fields that you want to build your chart with that do not involve time. Timechart and chart are similar. However, when you use the timechart command, your charts x-axis value is always going to represent time. With chart command, you can represent the x-axis using the over clause with any field you specify.

Chart in Action

Let’s check out this dataset reviewing the ratings from IMBd on Netflix TV shows and movies.

Over and By Clause

Here’s an example of chart command and the over clause in action.

Figure 1 – Chart command and the over clause

Notice that the x-axis is represented by the Age field. This is a product of using the over clause and letting Splunk know that you want Age to be on the x-axis. The chart command also allows you to manipulate the y-axis by using the by clause.

Here is an example of using the over clause and the by clause together. You can see the chart broken down over Age by IMDb which is the ratings of those movies in that specific age group.

Figure 2 – Chart command and the over clause and by clause

Remove NULL and OTHER

The legend on the right-hand side has all the ratings in different colors. You’ll also see two values you may not necessarily be interested in… NULL and OTHER. Chart and timechart commands automatically filter results to include the ten highest values while the surplus values are grouped into the OTHER category. In this particular search, our results are skewed by the NULL and OTHER values.

To remove the NULL and OTHER values, you will use these two arguments “useother=f & usenull=f”. After applying the useother=f and usenull=f, you get the results you see below. You can see how the data looks better and cleaner without the OTHER and NULL values.

Figure 3 – Remove NULL and OTHER from your chart legend

The Limit Argument

If you want to adjust the number of series that Splunk returns back, use the limit argument. With limit, specify how many values you’d like Splunk to return with. If you want Splunk to return an unlimited amount of values, use limit=0. Let’s take a look at this in action. After applying the limit argument of 20, this is what Splunk brings back.

Figure 4 – Chart command series limit of 20

Next, let’s take a see what an unlimited amount of values looks like.

Figure 5 – Chart command series unlimited

There you have it. Splunk has brought back all of the IMDb ratings associated with the movies in each age group. Now, you’ve seen chart command in action and its visualization options.

Ask the Experts

Our Splunk Search Command of the Week series is created by our Expertise on Demand (EOD) experts. Every day, our team of Splunk certified professionals works with customers through Splunk troubleshooting support, including Splunk search command best practice. If you’re interested in learning more about our EOD service or chat with our team of experts, fill out the form below!

Michael Mims

About

Alex Pallotta

Alex Pallotta joined Kinney Group in 2018 after graduating from the University of Cincinnati. Before joining the Marketing department, Alex gained a holistic view of the business through her time working with the Finance and Sales teams at Kinney. As the Content Marketing Specialist, Alex loves to spread the mission and brand of Kinney Group across all forms of content with the goal of driving demand to our services. In her free time, you'll find Alex delivering sub-par pun jokes, listening to live music, and playing paw-parazzi for her cat, Luna (she wasn't kidding about the pun thing).