Hello! Welcome to the Visualizations learning module. I'm Chris with Splunk Education. In this module, you'll learn how to visualize and format your data into tables and charts using Splunk Search Processing Language commands as well as the Splunk Web interface. Let's begin by learning how to use some basic formatting commands. The fields command allows you to include or exclude specific fields from search results. This can be handy when you need to limit the fields displayed, and can make a search run faster. To include a field, we pipe our search terms into the fields command with the fields we want to include as the arguments. As you can see, this search returns only the fields product_name and price. To exclude a field, we use a minus sign between the fields command and the field names. When this is done, the product_name and price fields are removed from the fields list. In our search, there is a space between the minus operator and the field names. This causes all field names to be affected by the operator. If we remove the space, the operator only affects the field directly behind it. When we run this search, we see that only the price field remains. The fields command defaults to inclusion, so while our product_name field will be removed, a lack of operator tells Splunk to only include the specified field. Internal Splunk fields like _raw and _time will always be extracted, but you can remove them from the displayed results by using the fields minus command. Field extraction is one of the most costly parts of search. Since field inclusion occurs before field extraction, limiting fields extracted can make your searches more efficient. The table command is similar to the fields command in that specified fields are kept in your results. The table command is different in that it is a transforming command that retains the data in a tabulated format. By entering the table command followed by session ID, product_name, and price fields, we get an easy-to-read table. This table shows which products a user session successfully purchased and for what price. Column headers are field names, rows are values, and each row represents an event. Columns are in the order given in the arguments. To rearrange columns, all we do is change the order of the arguments. The fields command can be used with the table command to improve the efficiency of this search. Since our goal is to return a table that only uses the session ID, price, and product_name fields, we can add the fields command to limit our search to just return these fields. If we exclude any of the required fields before piping to the table command, Splunk is unable to display that field's values in the table. You can use the dedup command to remove duplicate events from the results that share common values. First, let's add our session ID field back to the fields command, so that our table displays correctly. That's better! In our table, we see what appear to be duplicate events. These events represent multiple actions a user has taken in our web store over the session, such as viewing a product, adding it to their cart, and purchasing it. For the purposes of this table, we do not need these duplicate entries, so we will pipe to a dedup command with the unique session ID values, so each session is only represented once. You can filter your results based on a single field, or for a combination of values among several fields. When using the dedup command, it's important to supply the correct field names for the events you wish to display. If we remove the JSESSIONID field and only dedup on the price field, we limit our table to just one event per price value, which is not the result we were looking for. The addtotals command, by default, will compute the sum of all numeric fields for each row and create a Total column. We have been asked to create a table displaying retail sales for each product sold in the United States and Canada over the last seven days. We pipe to a chart command to calculate the total sum of all purchases for each unique product, per country. Let's take our search and pipe to the addtotals command. We see that Splunk has added a total column containing the sum of the rows. We can create a column summary by setting the col variable to true. Notice that the row that was created is not labeled. We add a label by setting the label variable with the name to use, and the labelfield variable with the field to show the label in. We can change the label for our row totals using the fieldname variable. To remove the totals by product and only see totals by country, we can set the row variable to false. The fieldformat command can be used if you want to format the appearance of values without making a change to the underlying raw data. Here we have a table of retail sales by product for all countries over the last seven days. While this table contains helpful information, it's a little difficult to read. We can clean it up by using the fieldformat command. We will overwrite the existing values in the Total field by adding a dollar sign, then using the tostring function to convert the numeric value to a string, and supply an optional argument to format it with commas. It's important to remember that while the fieldformat command creates new field values, the underlying data in your index does not change. All this magic happens in Splunk's user interface.
