XYSERIES & UNTABLE Command In Splunk

XYSERIES & UNTABLE Command In Splunk

 Hi Guys!!!
Today we have come up with two new interesting commands, i.e. “xyseries” and “untable”.
Now, you might get amazed that why we are talking about two commands together.
Don’t worry. Soon, you will understand the purpose.

Let’s start with the first command, i.e. “xyseries

XYSERIES: –

Usage of xyseries command: 
This command is ideal for graphical visualization with multiple fields, 
basically with the help of this command you can make your result set in
a tabular format, which is suitable for graphical representation.

Syntax of xyseries command:

 |xyseries [grouped=<bool>] <x-field> <y-name-field> <y-data-field>... 
  [sep=<string>] [format=<string>]
x-field: The first field listed is the column, the x-axis field. 
y-name-field: The second field , it’s values will become the new columns.
y-data-field: The third field listed, it  will be the data values 
              in the table for the new fields you created. 

Example: 1

Let’s, start with a query without “xyseries” command, then with “xyseries” command, so that you will understand how the command is changing the visualization of the result set.

index=_internal sourcetype=splunkd_ui_access
| stats count by method,status

1

Explanation: 

In the above query “_internal” is the index and “splunkd_ui_access” is the sourcetype. With “stats” command we have used two fields “method” and “status” which is giving us the count of unique combination of values from method and status field.

Now, in the same query we will show you, how “xyseries” command will change the result set of the same query, which will be suitable for graphical representation. So, let’ see,

index=_internal sourcetype=splunkd_ui_access
| stats count by method,status
| xyseries method,status,count

2

Explanation: –

Here, we have used “method” as x-field, so you can see that the “method” field is present in the first column.
We have used “status” as y-name-field, so you can see that each value “status” field is now new columns.
We have used “count” as the y-data-field, so you can see that, the values of “count” field is giving the count of each unique combination of values from “method” and “status” field.
In other words, we can say, “xyseries” command changed the visualization of the previous query in a charting format.

You can also know about :  Usage of Splunk Commands : MVEXPAND

Example: 2

In, this example, we will show you how we can use two y-data fields.
First, we will show without “xyseries” command, then with “xyseries” command, so that you will understand how the command is changing the visualization of the result set.

index=_internal sourcetype=splunkd_ui_access
| stats count count(eval(user="admin")) as "user_count" by method,status

3

Explanation:

In the above query “_internal” is the index and “splunkd_ui_access” is the sourcetype.
With stats command we are taking the eventcount grouped by “method” and “status” field and the count of user “admin” grouped by “method” and “status” field. As a result we are getting four fields, i.e. method, status, count, user_count.
Now, the last two field i.e. “count” and “user_count” as the y-data field with “xyseries” command. So, let’s see,

index=_internal sourcetype=splunkd_ui_access
| stats count count(eval(user="admin")) as "user_count" by method,status
| xyseries method status count user_count

4

Explanation: –

Here, we have used “method” as x-axis field, so you can see that the “method” field is present in the first column.
We have used “status” as y-axis field, so you can see that each value “status” field is now new columns. But, you can see some other fields like “count” and “user_count” with “status” field values.
eg: “count:200” or “user_count:200” etc.
This is because, we have used two fields “count” and “user_count” as y-data field and each values of status field has created different columns with “count” field and “user_count” field.

You can also know about :  Types of Command in Splunk - Splunk Visualization Commands

UNTABLE: –

Usage of “untable” command:
1. Untable command can convert the result set from tabular format
   to a format similar to “stats” command.
2. This command can also be the reverse of the “xyseries”
   [Now, you guys can understand right, why we are mentioning 
    “xyseries” and “untable” commands together]

Syntax of “untable” command:

| untable <x-field> <y-name-field> <y-data-field>
x-field: The first field listed is the column, the x-axis field. 
y-name-field: The second field , the values of this field will  be used as 
              labels for the data series.
y-data-field: The third field listed, field that contains the data to be 
              charted

So, let’s see,

Example: 1

Let’s, start with a query without “untable” command, then with “untable” command, so that you will understand the changes clearly.

index=_internal sourcetype=splunkd_ui_access
| top method

5

Explanation:

In the above query “_internal” is the index and “splunkd_ui_access” is the sourcetype.
Top command will give the “count” and “percentage” of “method” field values in descending order in “count” and “percent” field respectively.
Now, we use “untable” command in the query to see the changes.

6

Explanation:

Here, we have used method as x-axis field.
We have used “calculation” as y-axis-name-field which contains two values i.e. “count” and “percent” because top command has given “count” and “percent”.
We have used “value” as the y-data-field which contains corresponding values for the combination of “method” and “calculation” field.

You can also know about :  Usage of Splunk commands : CONVERT

Example: 2

Here, we will use the same example shown for “xyseries” command in [Example: 1], so that you can easily understand how “untable” command can be the reverse for “xyseries” command.

index=_internal sourcetype=splunkd_ui_access
| stats count by method,status
| xyseries method,status,count
| untable method,status,count

7

As, you can see we have used “method” as x- field, “status” as y-name-field and “count” as y-data-field. It has changed converted the charting format of result set again to the format of stats output. [Similar to image: 1]

[Note: Please check the image: 1 and image: 2 to see the result set of “xyseries” command to compare].

Hope you have understood how to use xyseries and untable command in Splunk.

Happy Splunking !!!

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.