Let's compare with two examples:
* | stats sum(x) by user, host, statuswill output rows that look like:See AlsoStatistical and charting functions - Splunk Documentationchart - Splunk DocumentationUse the stats command and functionsSearch commands > stats, chart, and timechart | Splunkuser host status sum(x) --------------------------------------- bob host1 200 25 bob host1 404 12 bob host2 404 3 alice host1 200 17 alice host2 500 1
2) But * | chart sum(x) over user by status will output quite different rows that look like.
user 200 404 500 --------------------------------------- bob 25 15 alice 17 1Note that the first example incorporates data about the "host" field, whereas the second one does not. We'll come back to this.
In more formal terms, stats sum(x) by user, host, status will create one row for each combination of user, host and status that are present in the data. Then for each of those rows it will also compute whatever statistic(s) or function(s) you tell it (here it's just sum(x)).
On the other hand, the chart command, will create rows that are each of the values of the single "group by" field, and COLUMNS that are each of the values of the "split by" field. (btw the timechart command you can sort of think of chart that is locked into using _time as the "group-by" field, although the reality is a little more complex)
Some Interesting Upshots
Note that you can specify any number of "group by" fields to the stats command, whereas the chart/timechart command can only have one "group by" (with timechart it is always _time) and one "split by". This is why our first example was able to incorporate the "host" field easily whereas the second example did not.
This creates a concept of a "stats style" result set, versus a "chart style" result set. I say "style" because I mean it looks like the output of the given command, even if it didn't necessarily come from that command. ie
|inputlookup foomight well emerge blinking into the light of your browser and be a "chart style" set. This has some implications that you get used to, like "filling in last known values" in a stats-style set is generally done with thestreamstatscommand, whereas doing the thing with chart-style results is more often done with thefilldowncommand.The stats command will throw away any events where one or more of the "group" by fields does not exist. If you want it to keep them, you have to use an explicit fillnull command. The chart/timechart commands will likewise throw away events where the single "group by" field doesn't exist, but it will actually roll up all the null values of the "split by" field into a big column called "NULL" which you can fiddle with and/or suppress with various arguments.
You can always transform your results from a "stats style" result set to the "chart style" with the xyseries command. eg
xyseries foo bar baz, or if you willxyseries groupByField splitByField computedStatistic.Going the other way, you can transform your results from a "chart style" result set to the "stats style" with the untable command. eg
| untable foo bar baz, or labeling the fields,| untable groupByField splitByField computedStatistic.Following from this,
| xyseries foo bar baz | untable foo bar baznegates itself and so is a fun way to do nothing at all. 😃As you might guess from the runaway bullet points here, this is a deep topic. Not uncommonly a single search might start out doing things in one style, because it needs to use eval in a certain way, and then switch it all over to the other style because it needs to do some other thing that needs "chart-style" rows.
Other things that are a little confusing.
-- You can also use chart command with no split-by field specified at all, and in such cases it behaves identically to the stats command. eg stats count by foo is exactly the same as chart count over foo. So some people think of "chart" as being an alias to "stats" when actually it's quite important and does things nothing else can.
-- The chart command also allows you to express it as chart count by foo, bar which looks a lot like the stats syntax. HOWEVER, chart recognizes the first field foo as the "group by" field, thus becoming the output rows, and the second field is recognized as the "split by" field, becoming the column names across the top. To avoid this confusion I recommend avoiding the chart count by foo bar syntax entirely, and instead try and do chart count over foo by bar. It's a bit more verbose but it will help new users avoid this confusion. (random trivia: it was actually me that lobbied for the "over" syntax as a result of which it got snuck into a 4.X release)
View solution in original post
