Difference between stats and chart (2024)

Let's compare with two examples:

* | stats sum(x) by user, host, status will output rows that look like:
See Also
stats - Splunk Documentation Search commands > stats, chart, and timechart | Splunk What is tstats and why is so much faster than stats?Splunk Cheat Sheet: Query, SPL, RegEx, & Commands | Splunk
```
 user host status sum(x) --------------------------------------- bob host1 200 25 bob host1 404 12 bob host2 404 3 alice host1 200 17 alice host2 500 1
```

2) But * | chart sum(x) over user by status will output quite different rows that look like.

 user 200 404 500 --------------------------------------- bob 25 15 alice 17 1

Note that the first example incorporates data about the "host" field, whereas the second one does not. We'll come back to this.

In more formal terms, stats sum(x) by user, host, status will create one row for each combination of user, host and status that are present in the data. Then for each of those rows it will also compute whatever statistic(s) or function(s) you tell it (here it's just sum(x)).

On the other hand, the chart command, will create rows that are each of the values of the single "group by" field, and COLUMNS that are each of the values of the "split by" field. (btw the timechart command you can sort of think of chart that is locked into using _time as the "group-by" field, although the reality is a little more complex)

Some Interesting Upshots

Note that you can specify any number of "group by" fields to the stats command, whereas the chart/timechart command can only have one "group by" (with timechart it is always _time) and one "split by". This is why our first example was able to incorporate the "host" field easily whereas the second example did not.
See Also
Use stats with eval expressions and functions
This creates a concept of a "stats style" result set, versus a "chart style" result set. I say "style" because I mean it looks like the output of the given command, even if it didn't necessarily come from that command. ie |inputlookup foo might well emerge blinking into the light of your browser and be a "chart style" set. This has some implications that you get used to, like "filling in last known values" in a stats-style set is generally done with the streamstats command, whereas doing the thing with chart-style results is more often done with the filldown command.
The stats command will throw away any events where one or more of the "group" by fields does not exist. If you want it to keep them, you have to use an explicit fillnull command. The chart/timechart commands will likewise throw away events where the single "group by" field doesn't exist, but it will actually roll up all the null values of the "split by" field into a big column called "NULL" which you can fiddle with and/or suppress with various arguments.
You can always transform your results from a "stats style" result set to the "chart style" with the xyseries command. eg xyseries foo bar baz, or if you will xyseries groupByField splitByField computedStatistic.
Going the other way, you can transform your results from a "chart style" result set to the "stats style" with the untable command. eg | untable foo bar baz, or labeling the fields, | untable groupByField splitByField computedStatistic.
Following from this, | xyseries foo bar baz | untable foo bar baz negates itself and so is a fun way to do nothing at all. 😃
As you might guess from the runaway bullet points here, this is a deep topic. Not uncommonly a single search might start out doing things in one style, because it needs to use eval in a certain way, and then switch it all over to the other style because it needs to do some other thing that needs "chart-style" rows.

Other things that are a little confusing.

-- You can also use chart command with no split-by field specified at all, and in such cases it behaves identically to the stats command. eg stats count by foo is exactly the same as chart count over foo. So some people think of "chart" as being an alias to "stats" when actually it's quite important and does things nothing else can.

-- The chart command also allows you to express it as chart count by foo, bar which looks a lot like the stats syntax. HOWEVER, chart recognizes the first field foo as the "group by" field, thus becoming the output rows, and the second field is recognized as the "split by" field, becoming the column names across the top. To avoid this confusion I recommend avoiding the chart count by foo bar syntax entirely, and instead try and do chart count over foo by bar. It's a bit more verbose but it will help new users avoid this confusion. (random trivia: it was actually me that lobbied for the "over" syntax as a result of which it got snuck into a 4.X release)

View solution in original post

Difference between stats and chart (2024)

FAQs

What is the difference between stats and chart? ›

Use the stats command when you want to specify 3 or more fields in the BY clause. Use the chart command when you want to create results tables that show consolidated and summarized calculations.

What is the difference between stats and statistics? ›

A statistic is the descriptor of a set of sample data. Statistics is the broader concept of the process of designing, comparing, interpreting, and analyzing data.

View Details ›

What's the difference between a chart and a graph? ›

While many people use 'graph' and 'chart' interchangeably, they are different visuals. Charts are tables, diagrams or pictures that organize large amounts of data clearly and concisely. People use charts to interpret current data and make predictions. Graphs, however, focus on raw data and show trends over time.

What do stats do in Splunk? ›

The stats command works on the search results as a whole. The streamstats command calculates statistics for each event at the time the event is seen, in a streaming manner. The eventstats command calculates statistics on all search results and adds the aggregation inline to each event for which it is relevant.

Read The Full Story ›

What is a chart in statistics? ›

A statistical graph or chart is defined as the pictorial representation of statistical data in graphical form. The statistical graphs are used to represent a set of data to make it easier to understand and interpret statistical information.

Keep Reading ›

What is mean chart in statistics? ›

The mean or x-bar chart measures the central tendency of the process, whereas the range chart measures the dispersion or variance of the process.

Learn More Now ›

What is a chart example? ›

A chart is a graphic representation of data that transforms the data into visual components. For example, a pie chart uses slices of a circle and color coding to distinguish between categories of data.

Read The Full Story ›

What do you mean by chart? ›

A chart is a graphical representation of data. Visualizing data through charts helps to uncover patterns, trends, relationships, and structure in data.

Discover More Details ›

What do stats perform? ›

Stats Perform is the world leader in sports AI. With 6.5 Petabytes of proprietary sports data and 8 foundation sports AI models used in 200+ software modules, we empower the world's top sports broadcasters, media, apps, leagues, federations, bookmakers and teams to win audiences, customers and trophies.

What is the difference between stats and eval in Splunk? ›

The stats count() function is used to count the results of the eval expression. The eval eexpression uses the match() function to compare the from_domain to a regular expression that looks for the different suffixes in the domain.

Tell Me More ›

What do stats show? ›

Statistics are facts which are obtained from analysing information expressed in numbers, for example information about the number of times that something happens.

See Details ›

What is the difference between attribute chart and variable chart? ›

What is a variables control chart? Variables control charts plot continuous measurement process data, such as length or pressure, in a time-ordered sequence. In contrast, attribute control charts plot count data, such as the number of defects or defective units.

Keep Reading ›

What are the advantages of using a chart in statistics? ›

One of the main advantages of using graphs and charts is that they can show complex data in a simple and concise way. They can help you highlight trends, patterns, relationships, comparisons, or contrasts that might be difficult to see or explain in text.

What is the difference between stats and planets? ›

Stars consist of matter like Hydrogen, Helium, and other light elements. Planets, on the other hand, contain solids, liquids, gases, or a combination thereon. Thus, this is the basic difference between stars and planets.

Read On ›

What is the difference between a run chart and a statistical process control chart? ›

However, control charts are based upon a more in-depth statistical analysis of the data and thus have some different features from a run chart. The central line on a control chart is the mean of the measurements (instead of the median which is used in a run chart).

See Details ›