Module 2: Using Transforming Commands for Visualizations Flashcards
Explore data structure requirements Explore visualizations types Create and format charts Create and format timecharts Explain when to use each type of reporting command
When a search returns statistical values, results can be viewed with a wide variety of visualization types
- statistics table
- charts: line, column, pie, etc
- single value, gauges
- maps
- many more
Page 36 Mod 2
A ____ is a series sequence of related data points that are plotted in a visualization.
Data series
Page 37 Mod 2
True or False: Data series can generate any statistical or visualization results.
True
Page 37 Mod 2
True or False: Most visualizations require a single series table. (Search results structured as a table with at least two columns).
True
- left most column provides x-axis values
- subsequent columns provide numeric y-axis values for each series in the chart
Page 38 Mod 2
To get multi-series tables, you need to set up the underlying search with reporting search commands like ___ or ____
chart or timechart
Page 39 Mod 2
What does a Time series do?
Displays statistical trends over time
*can be single-series or multi-series
Page 40 Mod 2
What are the 7 chart types?
Line Area Column Bar Bubble Scatter Pie
Page 41 Mod 2
What does a scatter chart show?
It shows trends in the relationships between discrete data values
*generally, it shows discrete values that do not occur at regular intervals or belong to a series
Page 48 Mod 2
What does a bubble chart require?
2 split by fields and 3 statistics:
- 1 for x-axis
- 1 for y-axis
- 1 that determines size of the bubble
Page 49 Mod 2
For line, area, and column charts, where does the x-axis lie?
Horizontal
Page 42-46 Mod 2
Where does the x-axis lie in a bar chart?
Vertical
Page 46 Mod 2
What does the chart command do?
It displays any data series plotted across one or two dimensions.
Page 50 Mod 2
“chart command requirements”
The function defines the value of the y-axis, therefore it should be ___?
Numeric
Page 50 Mod 2
Where do the values from the by clause display when using the chart command?
In legend
Page 50 Mod 2
“chart command requirements”
The first field after the over clause is the ___?
x-axis
Page 50 Mod 2
“chart command requirements”
Using the over and by clauses divides the data into ___?
sub-groupings
Page 50 Mod 2
chart avg(bytes) over host
The host values display over the x-axis
Page 50 mod 2
chart avg(bytes) over host by product_name
The host field is the x-axis and the series is further split by product_name
Page 50 Mod 2
What kind of results will you get if you used the chart command count over field?
Count functions tallies the number of events for each value in the result set
Page 51 Mod 2
How many dimensions can you split your chart results over?
Just 2 dimensions (unlike stats results)
Page 52 Mod 2
What can you use with the “over” clause to split results?
The “by” clause.
Page 52 Mod 2
chart and timechart commands automatically filter results to include the ___ highest values?
10 highest values
*surplus values are grouped into OTHER
Page 54 Mod 2
What do you use if you want to remove empty (NULL) and OTHER field values from displaying?
- useother=f
- usenull=f
Page 55 Mod 2
What is another way you can get rid of null values?
Add itemId=* to the base search
Page 55 Mod 2
What argument would you use to adjust the number of plotted series?
limit argument
Page 56 Mod 2
When you have a split by two dimensions which option does the limit argument apply to?
It applies to the second split.
Page 56 Mod 2
What doe the timechart command do?
It performs statistical aggregations against time and plots and trends data over time
Page 57 Mod 2
What axis is _time always on?
The x-axis
Page 57 Mod 2
What form are timecharts best for?
Line and Area charts
Page 57 Mod 2
True or False: Functions and arguments used with stats and chart can also be used with timechart?
True
Page 58 Mod 2
Unlike stats how many fields can be specified after the by clause when using the timechart command?
One
Page 59 Mod 2
Why can you only use 1 field after the by clause when using the timechart command?
Because _time is the implied first by field.
Page 59 Mod 2
Which axis represents the count for each filed value?
The y-axis
Page 59 Mod 2
What happens when the multi-series mode is set to NO?
All fields share the y-axis
Page 60 Mod 2
What happens when the multi-series mode is set to YES?
The y-axis is split for each field value
Page 61 Mod 2
When you use the timechart command it buckets the values of the _time field, which does what for the user?
This provides dynamic sampling intervals, based upon the time range of the search
Page 62 Mod 2
True or False: Like with the stats and chart commands, you can apply statistical functions to the timechart command?
True, you can add statistical functions
Page 63 Mod 2
List the functions of the Trellis layout?
- It displays multiple charts based on one result set
- Allows visual comparison between different categories
- Data only fetched once
Page 66 Mod 2
What should you use if you want to calculate statistics with an arbitrary field as the x-axis that is not _time?
You should use a chart
Page 75 Mod 2
When you use a by clause with the chart command what is the output?
It is a table and each column represents a distinct value of the split-by field
Page 75 Mod 2
When would you want to use the timechart command to calculate statistics?
When you want the x-axis to have _time
Page 76 Mod 2
What happens when you introduce a by clause to the timechart command?
It becomes a table and each column represents a distinct value of the split-by field
Page 57 Mod 2
When is a good time to use the stats command to calculate statistics?
When you want to use 2 or more fields that are not time-based
Page 74 Mod 2
What command should you use when you want to count the frequency of a field(s)?
You should use the top and rare command
Page 73 Mod 2
In what way does the timewarp command display?
• Displays the output of the timechart command, so that each time
period is a separate series
• Can compare data over a specific time period, such as day-over-day or
month-over-month
Page 68 Mod 2
What is timewarps syntax?
• Syntax: timewrap timewrap-span
• timewrap-span can be second, minute, hour, day, week, month,
quarter or year
• For example: timewrap 1w
Page 69 Mod 2
How far does earliest to latest span with timewarp?
14 days
2 weeks
a fortnight
Page 70 Mod 2
When using a line chart how many lines are shown when specifying 1w with the timewarp command
2 lines are shown
Page 70 Mod 2
When using timewarp how can you add more lines to the chart?
by adding additional periods to the search
Page 71 Mod 2
What would you use to count the frequency of a field(s)?
top or rare
Page 73 Mod 2
What would you use to calculate statistics for two or more by fields? (non time-
based)
The stats command
Page 74 Mod 2
“chart command requirements”
The first field after the over clause is the?
X-axis
Mod 2 page 50
“chart command requirements”
Using the over and by clause’s divides data into?
Sub-groupings
Mod 2 page 50
With the chart command how is the x-axis decided?
It is decided by you
