About transforming commands and searches

To create charts and visualizations, your search must transform event data into statistical data tables. These statistical tables are required for charts and other kinds of data visualizations.

This section describes the major categories of transforming commands and provides examples of how use transforming commands to transform event data.

Transforming commands

The primary transforming commands are:

  • chart: Creates charts that can display any series of data that you want to plot. You can decide what field is tracked on the x-axis of the chart.
  • timechart: Creates "trends over time" reports, which means that _time is always the x-axis.
  • top: Generates charts that display the most common values of a field.
  • rare: Creates charts that display the least common values of a field.
  • stats: Generates a report that display summary statistics.

See Transforming commands in the Search Reference to learn more.

Note: As you will see in the following examples, you always place your transforming commands after your search commands, linking them with a pipe operator ( | ).

The chart, timechart, and stats commands are all designed to work with statistical functions. The list of available statistical functions includes:

  • count, distinct count
  • mean, median, mode
  • min, max, range, percentiles
  • standard deviation, variance
  • sum
  • first occurrence, last occurrence

For more information about statistical functions, see Statistical and charting functions in the Search Reference. Some statistical functions only work with the timechart command.

Note: All searches with transforming commands generate specific data structures. The different chart types require these data structures to be set up in particular ways. For example, not all searches that enable you to generate bar, column, line, and area charts can be used to generate pie charts. See Data structure requirements for visualizations in the Dashboard and Visualizations manual to learn more.

Real-time reporting

You can use a real-time search to calculate metrics in real time on large incoming data flows without the use of summary indexing. However, because you are reporting on a live and continuous stream of data, the timeline will update as the events stream in and you can only view the table or chart in preview mode. Also, some search commands will be more applicable (for example, streamstats and rtorder) for use in real-time. See About real-time searches and reports.