Using chart to turn data
The chart command is useful for "turning" data across two dimensions. It is useful for both tables and charts. Let's start with one of our examples from stats:
sourcetype="impl_splunk_gen" error | chart count over logger by user
The resulting table looks like this:
If you look back at the results from stats, the data is presented as one row per combination. Instead of a row per combination, chart generates the intersection of the two fields. You can specify multiple functions, but you may only specify one field each for over and by.
Switching the fields turns the data the other way.
By simply clicking on the chart icon above the table, we can see these results in a chart:
This is a bar chart, with Stack mode set to Stacked, and usenull set to false, like so:
sourcetype="impl_splunk_gen" error | chart usenull=false count over logger by user
chart can also be used to simply turn data, even if the data is non-numerical. For example, say we enter this query:
sourcetype="impl_splunk_gen...
