Get Started

Splunk chart Command: Multi-Dimensional Data Visualization

Splunk SPL Commands
R
Rhombic LLC
Splunk Consulting & Cyber Security · 2 min read

What Is the chart Command?

The chart command creates tabular output with one field as the row axis and optionally another as the column split — producing multi-dimensional summaries. Unlike timechart, you control which field serves as the X-axis, making it ideal for non-time-based comparisons.

Core Syntax

| chart <function>(<field>) OVER <row-field> [BY <column-field>]

The OVER clause defines the row grouping (X-axis). The optional BY clause splits results into columns (series).

Security Operations Examples

1. HTTP Status Codes by URI Path

index=web sourcetype=access_combined
| chart count OVER uri_path BY status
| sort - 200

2. Alert Severity Distribution by Source (NIST SI-4)

Map alert volumes by source and severity to prioritize SIEM tuning efforts for NIST 800-53 SI-4 (System Monitoring).

index=notable
| chart count OVER source BY urgency

3. Authentication Methods by Department

index=security sourcetype=WinEventLog:Security EventCode=4624
| lookup department_lookup user AS Account_Name OUTPUT department
| chart count OVER department BY Logon_Type

4. Bandwidth Consumption by Application

index=network sourcetype=paloalto:traffic
| chart sum(bytes) AS total_bytes OVER app BY action
| eval total_MB = round(total_bytes / 1048576, 2)

chart vs. timechart

Use chart when your X-axis is not time — for example, comparing across hosts, users, departments, or categories. Use timechart when time is the primary axis.

Advanced Patterns

Nested Aggregation with eval

index=security sourcetype=WinEventLog:Security
| eval event_category = case(
    EventCode==4624, "Logon Success",
    EventCode==4625, "Logon Failure",
    EventCode==4648, "Explicit Credentials",
    1==1, "Other")
| chart count OVER event_category BY ComputerName limit=10

Using span with chart

| chart count OVER response_time span=100 BY status

When the OVER field is numeric, span creates histogram-style buckets.

Best Practices

  • Use OVER for the primary grouping — The OVER field becomes your X-axis in visualizations.
  • Limit cardinality with limit| chart count OVER src_ip BY dest_port limit=5 keeps charts readable.
  • Combine with where post-chart — Filter aggregated results to focus on significant data points.
  • Pre-filter aggressively — Chart can be resource-intensive with high-cardinality fields.

Next in the series: The eventstats command — adding aggregate context to individual events.

Next in the Rhombic SPL Series → Splunk eventstats Command

Tagged , , , , ,