View the Events Histogram

The Events Histogram displays data in a segmented graph where the y-axis presents the number of events per bars of time segments in the x-axis. The time range on the x-axis might not match the time range specified in the search query because the start and end times on the x-axis are determined by the event times of the first and last matching events of the search query.

Click the Settings icon () and select either Linear Scale or Log Scale to display the data in your preferred format. You may also select Hide Histogram if you do not wish to display the histogram. As you hover your pointer over the histogram, the bar color directly below the pointer changes and displays a tooltip of the day/date/time of that event range. Click a bar to view event information for a specific time range. Click again to deselect the bar.

Note that some search activities do not require the histogram, and thus it will not be displayed. For example, if you perform an aggregation operation, such as "top" or "bottom," Search will not display the histogram because the Search Results table contains the aggregation of results, not events in a timeline.

How Search builds the histogram

Search progressively builds the histogram as it receives events that match the search settings. If the search needs to scan a large amount of data or a large time period, the histogram displayed initially might refresh multiple times while the search is running. To view the complete histogram of a search, wait until the search has finished running.

Search plots the first one million matching events on the histogram. If a search results exceed one million events, Search displays an informational message. If you need to use the histogram view for event analysis of a search that matches more than one million events, we suggest that you adjust the time range to retrieve fewer than one million events. This will allow you to obtain a complete and meaningful histogram. You can also use a pipeline operator to further refine search results so that the total number of hits is under one million events.

Narrow the scope of the search

If you have a large number of data points or a wide time range, you can see the big, overall picture, but you might not be able to clearly identify specific data points. To narrow the scope of the displayed data, adjust the boundaries of the displayed bars. As you adjust the time range within the Histogram, the Events table displays corresponding events.

Drill down to events

You can drill down to events in a specific time period by clicking the bar on the histogram that represents that time period. The bar you drilled down to is highlighted and the events matching that time period are listed below the histogram. To deselect the time period, click the bar again. When you hover over a histogram bar, the matching events listed below the histogram do not change, and the histogram continues to display all matching events.

If you are performing a real-time search, zooming or clicking in the histogram automatically pauses a real-time search. For additional information about how a real-time search affects histogram behavior, see Create a Real-time Search.