chart
Description
Returns results in table format.
Syntax
| chart <functions-expression> ["," <functions-expression>] [BY <row-split><column-split>] | [OVER <row-split>] [BY <column-split>]
Required Arguments
At least one of the functions must be used:
| Parameter | Syntax | Description |
|---|---|---|
count | count | count(<field>) | Calculates the number of events containing the field. If the field is not specified, calculates the total number of events. |
values | values(<field>) | Calculates an array of unique values for a given field. |
avg | avg(<field>) | Calculates the average value for a given field. |
dc | dc(<field>) | Calculates the number of unique values in a given field. |
earliest | earliest(<field>) | Calculates the value of the field for the earliest event. An optional second parameter can be used for the field name with a timestamp. Default is @timestamp. |
first | first(<field>) | Calculates the first value for a given field. |
last | last(<field>) | Calculates the last value for a given field. |
latest | latest(<field>) | Calculates the field value for the latest event. An optional second parameter can be used for the field name with a timestamp. Default is @timestamp. |
list | list(<field>) | Calculates an array of all values for a given field. |
max | max(<field>) | Calculates the maximum value for a given field. |
min | min(<field>) | Calculates the minimum value for a given field. |
range | range(<field>) | Calculates the difference between the maximum and minimum values for a given field. |
stdev | stdev(<field>) | Calculates the standard deviation for a given field. |
sum | sum(<field>) | Calculates the sum of values for a given field. |
Optional Arguments
| Parameter | Syntax | Default | Description |
|---|---|---|---|
row-split | <field> | The name of the field that becomes the first column in the result table. The values of this field become the row values in the result table. | |
column-split | <field> | The name of the field whose values are used for the column headers in the result table. |
Query Examples
Example 1
The query returns the results for values(user), values(message) for each value of the age and host fields. The age field values are distributed across the rows, and the host field values are used as column headers:
...
| chart values(user), values(message) by age, host
Example 2
The query returns the results for values(user), values(message) for each value of the age and host fields. The age field values are distributed across the rows, and the host field values are used as column headers:
...
| chart values(user), values(message) over age by host
Example 3
The query returns the result for max(age) for each value of the message field:
...
| chart max(age) by message
Example 4
The query returns the result for max(age):
...
| chart max(age)