Difference between stats and chart (2024)

Let's compare with two examples:

  1. * | stats sum(x) by user, host, status will output rows that look like:

     user host status sum(x) --------------------------------------- bob host1 200 25 bob host1 404 12 bob host2 404 3 alice host1 200 17 alice host2 500 1

2) But * | chart sum(x) over user by status will output quite different rows that look like.

 user 200 404 500 --------------------------------------- bob 25 15 alice 17 1

Note that the first example incorporates data about the "host" field, whereas the second one does not. We'll come back to this.

In more formal terms, stats sum(x) by user, host, status will create one row for each combination of user, host and status that are present in the data. Then for each of those rows it will also compute whatever statistic(s) or function(s) you tell it (here it's just sum(x)).

On the other hand, the chart command, will create rows that are each of the values of the single "group by" field, and COLUMNS that are each of the values of the "split by" field. (btw the timechart command you can sort of think of chart that is locked into using _time as the "group-by" field, although the reality is a little more complex)

Some Interesting Upshots

  1. Note that you can specify any number of "group by" fields to the stats command, whereas the chart/timechart command can only have one "group by" (with timechart it is always _time) and one "split by". This is why our first example was able to incorporate the "host" field easily whereas the second example did not.

  2. This creates a concept of a "stats style" result set, versus a "chart style" result set. I say "style" because I mean it looks like the output of the given command, even if it didn't necessarily come from that command. ie |inputlookup foo might well emerge blinking into the light of your browser and be a "chart style" set. This has some implications that you get used to, like "filling in last known values" in a stats-style set is generally done with the streamstats command, whereas doing the thing with chart-style results is more often done with the filldown command.

  3. The stats command will throw away any events where one or more of the "group" by fields does not exist. If you want it to keep them, you have to use an explicit fillnull command. The chart/timechart commands will likewise throw away events where the single "group by" field doesn't exist, but it will actually roll up all the null values of the "split by" field into a big column called "NULL" which you can fiddle with and/or suppress with various arguments.

  4. You can always transform your results from a "stats style" result set to the "chart style" with the xyseries command. eg xyseries foo bar baz, or if you will xyseries groupByField splitByField computedStatistic.

  5. Going the other way, you can transform your results from a "chart style" result set to the "stats style" with the untable command. eg | untable foo bar baz, or labeling the fields, | untable groupByField splitByField computedStatistic.

  6. Following from this, | xyseries foo bar baz | untable foo bar baz negates itself and so is a fun way to do nothing at all. 😃

  7. As you might guess from the runaway bullet points here, this is a deep topic. Not uncommonly a single search might start out doing things in one style, because it needs to use eval in a certain way, and then switch it all over to the other style because it needs to do some other thing that needs "chart-style" rows.

Other things that are a little confusing.

-- You can also use chart command with no split-by field specified at all, and in such cases it behaves identically to the stats command. eg stats count by foo is exactly the same as chart count over foo. So some people think of "chart" as being an alias to "stats" when actually it's quite important and does things nothing else can.

-- The chart command also allows you to express it as chart count by foo, bar which looks a lot like the stats syntax. HOWEVER, chart recognizes the first field foo as the "group by" field, thus becoming the output rows, and the second field is recognized as the "split by" field, becoming the column names across the top. To avoid this confusion I recommend avoiding the chart count by foo bar syntax entirely, and instead try and do chart count over foo by bar. It's a bit more verbose but it will help new users avoid this confusion. (random trivia: it was actually me that lobbied for the "over" syntax as a result of which it got snuck into a 4.X release)

View solution in original post

Difference between stats and chart (2024)


What is the difference between stats and chart? ›

Use the stats command when you want to specify 3 or more fields in the BY clause. Use the chart command when you want to create results tables that show consolidated and summarized calculations.

What is a chart in Splunk? ›

Line charts: Display data in a plot with data points connected by a series of straight lines. Area charts: Display in a plot similar to a line chart, except that the area below the line is filled. Column charts: Also known as bar charts.

What are eventstats in Splunk? ›

The SPL2 eventstats command generates summary statistics from fields in your events and saves those statistics into a new field. The eventstats command places the generated statistics in new field that is added to the original raw events.

What are streamstats in Splunk? ›

1. Introduction to the Streamstats Command. The 'streamstats' command is another statistical command in Splunk that is used to perform real-time statistical analysis on event streams.

What is a chart in statistics? ›

A statistical graph or chart is a visual display of a data set, making it easier to understand and interpret the data. Statistical graphs or charts summarize data, identify trends and patterns, compare data sets, aid in decision-making, and increase data availability.

What is mean chart in statistics? ›

The mean or x-bar chart measures the central tendency of the process, whereas the range chart measures the dispersion or variance of the process.

What is the purpose of a chart? ›

The main functions of a chart are to display data and invite further exploration of a topic. Charts are used in situations where a simple table won't adequately demonstrate important relationships or patterns between data points.

How to use the stats command in Splunk? ›

Getting Started with the Splunk tstats Command
  1. Aggregation Functions: Choose an appropriate aggregation function, such as count, sum, avg, min, or max, based on your analysis needs.
  2. Fields and Time Field: Specify the fields you want to analyze and the time field over which you want to aggregate data.
Sep 30, 2023

Is Splunk a graph database? ›

With Splunk, you can analyze and investigate security incidents, detect anomalies in real-time and get notified so you can be proactive in your responses. As mentioned in an earlier article about graph analytics, many data sources in Splunk allow us to build a graph that describes the relationship between entities.

What is the difference between stats and transaction commands in Splunk? ›

Stats provides the aggregation. transaction provides the unique number / count. Like you perform 10 steps as part of one transaction.

What is the limit of eventstats? ›

By default, eventstats can aggregate up to 50,000 events at a time. You can change this limit with the MaxNoOfa*ggregatedEvents parameter.

What are the three default roles in Splunk? ›

The predefined roles are: admin : This role has the most capabilities. power : This role can edit all shared objects and alerts, tag events, and other similar tasks. user : This role can create and edit its own saved searches, run searches, edit preferences, create and edit event types, and other similar tasks.

What is the difference between stats and StreamStats? ›

Shortly streamstats calculate over sliding window and eventstats over all values. Stats calculate aggregate statistics over the dataset, similar to SQL aggregation. If called without a by clause, one row is produced, which represents the aggregation over the entire incoming result set.

What are 2 features of Splunk? ›

It can be deployed on-premises or in the cloud via the Splunk Cloud Platform. Key features include data visualization, performance metrics, data collection, real-time search, indexing, KPI tracking, reporting and monitoring.

How to use eval in stats Splunk? ›

You can embed eval expressions and functions within any of the stats functions. This is a shorthand method for creating a search without using the eval command separately from the stats command. For example, the following search uses the eval command to filter for a specific error code.

What is the difference between stats and statistics? ›

A statistic is the descriptor of a set of sample data. Statistics is the broader concept of the process of designing, comparing, interpreting, and analyzing data.

What is the difference between graph and chart in statistics? ›

A graph is a chart that shows the mathematical relationship between varied data sets by plotting horizontal (X-axis) and vertical (Y-axis). A chart represents information as a diagram, table, or graph. It comprises various methods for presenting large information. All graphs are charts.

Which is better stats or Calc? ›

If you plan to study engineering, physics, or mathematics in college, taking AP Calculus will be more beneficial as it's a prerequisite for many college-level courses in these fields. If you're leaning towards social sciences, psychology, business, or data-focused fields, AP Statistics might be more applicable.

How is a run chart different from a statistical control chart? ›

A control chart is similar to a run chart in so far as it plots a measurement over time. However, control charts are based upon a more in-depth statistical analysis of the data and thus have some different features from a run chart.

Top Articles
Latest Posts
Article information

Author: The Hon. Margery Christiansen

Last Updated:

Views: 6576

Rating: 5 / 5 (50 voted)

Reviews: 89% of readers found this page helpful

Author information

Name: The Hon. Margery Christiansen

Birthday: 2000-07-07

Address: 5050 Breitenberg Knoll, New Robert, MI 45409

Phone: +2556892639372

Job: Investor Mining Engineer

Hobby: Sketching, Cosplaying, Glassblowing, Genealogy, Crocheting, Archery, Skateboarding

Introduction: My name is The Hon. Margery Christiansen, I am a bright, adorable, precious, inexpensive, gorgeous, comfortable, happy person who loves writing and wants to share my knowledge and understanding with you.