The chart command aggregates data, providing output in tabular format which can then be used for a visualization. Visualizing data is critical to end user analysis, which makes chart a very important command. Notice that if you run the following search query, it is identical to the output of the stats command:
SPL> index=main | chart count by http_method
For all basic purposes, you can use stats and chart interchangeably. However, there will be differences in how stats and chart group data together. It will be up to you to determine which one is your intended result. To show the differences, here are some examples:
SPL> index=main | stats count by http_method http_uri
You can see the result in the following screenshot:
Following is another example:
SPL> index=main | chart count by http_method http_uri
You can see the result in the following screenshot:
Using the stats command, the data was presented as a list where all values were in a single column. The chart command, however, places values in cells defined by a row/column location. This is the way to setup the output for graphing based on X/Y types of coordination where there are multiple axes on visualizations such as bar and line charts.
The timechart command, on the other hand, creates a time series output with statistical aggregation of the indicated fields. This command is widely used when creating different types of charts where one access of the visualization is time. The most common use of timechart is for examining the trends of metrics over time for visualizations including line charts, column charts, bar charts, and area charts, among others:
SPL> index=main earliest=-4h latest=now | timechart span=15m count by http_uri
An important option that is part of the timechart command is span. The span essentially determines how it will group the data based on time. span=15m means it will aggregate the data into 15 minute increments.
The statistical result of the command looks like this:
Although admittedly the preceding data looks dull, this very information, when viewed in the Visualizations tab, looks much more interesting, as seen in the following screenshot. There will be more on creating dashboard panels and dashboards in Chapter 6, Data Models and Pivot Reporting:
