sidebar_custom_props | ||||
---|---|---|---|---|
|
Add metadata to a schema, necessary for rendering as a chart.
chart line [-x|--x-axis <fields>] [-y|--y-axis <field>]
chart area [-x|--x-axis <fields>] [-y|--y-axis <field>]
chart bar [-x|--x-axis <fields>] [-y|--y-axis <field>]
chart pie [--name <field>] [--value <fields>]
The chart
operator adds attributes to the schema of the input events,
that are used to guide rendering of the data as a chart.
The operator does no rendering itself.
The fields
option value is either the name of a single field, or a
comma-separated list of multiple field names, e.g., foo,bar,baz
.
Sets the field used for the X-axis.
Values in this field must be strictly increasing (sorted in ascending order,
without duplicates) when creating a line
or area
chart, or unique when
creating a bar
chart.
Defaults to the first field in the schema.
Sets the fields used for the Y-axis.
Defaults to every field but the first one.
Controls how the values are grouped when rendered as a chart.
Possible values are grouped
and stacked
.
Defaults to grouped
.
Sets the field used for the names of the segments.
Values in this field must be unique.
Defaults to the first field in the schema.
Sets the fields used for the value of a segment.
Defaults to every field but the first one.
Render most common src_ip
values in suricata.flow
events as a bar chart:
export
| where #schema == "suricata.flow"
| top src_ip
/* -x and -y default to `src_ip` and `count` */
| chart bar
Render historical import throughput statistics as a line chart:
metrics
| where #schema == "tenzir.metrics.operator"
| where source == true
| summarize bytes=sum(output.approx_bytes) by timestamp resolution 1s
| sort timestamp desc
| chart line -x timestamp -y bytes