chart

where <field>, <field1>, <field2> are the names of the field that you want to chart. The fields can be either event fields available in the Logger schema or a user-defined fields created using the rex or eval operator prior in the query.

<time> is the bucket size for grouping events. Use d for day, h for hour, m for minute, s for seconds. For example, 2h, 5d, 1m. (See Usage Notes for details.)

<function> is one of these: count, sum, avg (or mean), min, max, stdev, percN

<new_column_name> is the name you want to assign to the column in which the function’s results are displayed. For example, Total.

ID Note:

Deprecated: The following deprecated usage contains “_count”. The recommended usage, as shown above, is “count”.

                ...| chart _count by <field1> <field2> <field3> ...

By default, a column chart is displayed. Other chart types you can select from are: bar chart, line chart, donut chart, area chart, stacked column, or stacked bar.

To change the chart settings (including its type), click

in the upper right corner of the Result Chart frame of the screen. You can change these settings:

All chart commands except “count by” accept only one field in the input. The specified field must contain numeric values.

If multiple fields are specified, separate the field names with a white space or a comma.

You can click on a charted value to quickly filter down to events with specific field values. For more information, see Chart Drill Down.

The perc<N> function returns the <N> percentile. <N> can be a number between 0 and 100, inclusive.

...| chart perc by field list" (with no specified <N>) returns all results generated by ...| chart count by field list.

...| chart perc50 by field list returns the median value of all the results generated by ...| chart count by field list.

...| chart perc90 by field list returns the 90 percentile value of all the results generated by ...| chart count by field list.

The percentile value is derived based on the increasing order of the field values. The derived value of string fields rely on alphabetical order (ASCII value).

Note: Aggregation functions only work on numeric fields. The specified fields must contain numeric values. If a field you specify is of the wrong data type, you will receive an error message like the following: "java.lang.NumberFormatException".

If an aggregation function such as count, sum, or avg is specified, a chart of the aggregated results is displayed along with the tabular results of the aggregation operation in a Results Table. For example, for the aggregation function sum(deviceCustomNumber1), the sum_deviceCustomNumber1 column in the Results Table displays the sum of unique values of the deviceCustomNumber1 field.

If this field had two unique values 1 and 20, occurring 2 times each, the sum_deviceCustomNumber1 column displays the sum of those two values.

Note: When a chart displays too many events, it can be difficult to read. Therefore, the number of events returned is limited to 500 by default. If you need to change that default number, please contact Customer Support.

You can include multiple functions in the same chart command. When doing so, separate each function with a comma, as shown in this example:

When you include multiple functions, one column per function is displayed in the search Results Table. The Results Chart, however, plots the chart for the field specified in the “by” clause.

You can use the “as new_column_name” clause to name any column resulting from the aggregation functions, as shown in this example:

Once defined, the newly defined column can be used in the pipeline as any other field. For example,

When you export the search results of a chart operator, the newly defined column name (using the chart function as new_column_name command) is preserved.

A multi-series chart can plot the values of multiple aggregation functions in a single chart. If you include multiple aggregation functions in a chart command, Logger generates a multi-series chart that plots the values of the specified aggregation functions along the Y-axis, as illustrated in Example Two. Multi-series charts can be any of the chart types except donuts. For example, you can choose to plot a multi-series chart as a stacked chart—Stacked column or Stacked Bar—in which multiple values are plotted in a stack form.

In addition to grouping events by the Logger schema fields (or the ones defined by the rex or eval operators), the span function provides an additional way to group events by a time field (such as EventTime or deviceReceiptTime) and a time bucket. In the following example, deviceReceiptTime is the time field and 5m (5 minutes) is the time bucket:

If a time field is not specified for the span function, EventTime is used as the default. For example, the following query uses EventTime by default:

By default, the chart command displays the first 10 unique values. If the span function creates more than 10 unique groups, not all of them will be displayed. If you want to view all of the unique groups, increase the Display Limit value under Chart Settings. (Click the upper right corner of the Result Chart frame of the screen.)

Grouping with span is useful in situations when you want to find out the number of occurrences in a specific time span.

If you want to find out the total number of incoming bytes every 5 minutes on a device, you can specify a span of 5m, as shown in this example:

The above example assumes that deviceCustomNumber1 field provides the incoming bytes information for these events.

The span field can be used for grouping in conjunction with or without the event fields that exist in Logger schema or user-defined fields using the rex or eval operators. When a span field is specified in conjunction with an event field, the unique sets of all those fields is used for grouping. The following example uses deviceCustomNumber3 and deviceAddress in conjunction with span to find out the number of events (using deviceCustomNumber3) from a specific source (using deviceAddress) in one hour:

When span is included in a query, search results are grouped by the specified time bucket. For example, if span=5m, the search results will contain one row for each 5-minute span. If there are no events within a specific 5-minute span, that row will be empty.

Additionally, the span function assumes a 24-hour day, all year long. If span=1d or 24h, on the day of daylight savings time change, the event time indicated by the span_eventTime field in the search results will be different from the previous day by one hour. On the day when there are 23 hours in a day (in March), the span bucket will still include events from the last 24 hours. Similarly, on the day when there are 25 hours in the day (in November), the span bucket will include events from the last 24 hours.

Use the default chart setting (Column Chart) to specify multiple fields. In this example, a count of unique groups of deviceEventCategory and name fields is displayed and plotted.

Include average and sum in a chart command, to generate a multi-series chart that plots the values of these functions along the Y-axis in a single chart. You can display a multi-series chart as a stacked chart—Stacked column or Stacked Bar—in which multiple values are plotted in a stack, by changing the Chart Settings.