Visualizing Search Results
You can visualize your Logging Search page results, for both Basic and Advanced Mode searches.
You can view log data graphically as a chart in Basic Mode search, along with accompanying tabular data.
Select from the following chart settings:
- Visualization Type: Select from Stacked Bar, Pie, Donut, or Line. The Stacked Bar and Line charts are organized by default in terms of time (UTC) on the X-axis (datetime), and the chosen Group By logging field. You can hover the mouse over the chart data, which both highlights the area of interest, and displays the data in a tool tip. The Legend in all four chart types also provides an orientation to the displayed chart data.
- X Axis (stacked bar and line charts only): Select a logging field of interest to replace the default Time in UTC X-axis.
- Interval (only for stacked bar and line charts, and when datetime is the X Axis): Select from 1 minute, 5 minutes, 15 minutes, 30 minutes, or 1 hour.
- Group By: Select a logging field to group the results by.
For any chart type being viewed, you can click to expand the <number of> records found list below the chart, which lists the total record sum, and the number of records at each time interval.
Searches can also be visualized during Advanced Mode search. When an advanced query is formulated according to a specific syntax format, the Visualize tab is also available in Advanced Mode, allowing you to view stacked bar, pie, donut, and line charts.
To view charts in Advanced Mode, create your queries using the following syntax:
- Stacked Bar:
summarize count() by <user_selected_field1>,<user_selected_field2(optional)>This query returns a table with three columns:
<user_selected_field1>,<user_selected_field2>, andcount. The chart uses<user_selected_field1>as the x-axis,countfor the y-axis, and<user_selected_field2>for the stacked bar group by dimension. - Pie:
select <log_source> | summarize count() by <user_selected_field>This query returns a table with two columns: <user_selected_field> and
count. The chart uses <user_selected_field> as the legend, andcountfor the distribution of the pie chart. - Donut:
summarize count() by <user_selected_field>This query returns a table with two columns:
<user_selected_field>andcount. The chart uses<user_selected_field>as the legend, andcountfor the distribution of the donut chart. - Line:
summarize count() by <user_selected_field1>,<user_selected_field2(optional)>The query returns a table with three columns:
<user_selected_field1>,<user_selected_field2>, andcount. The chart uses<user_selected_field1>as the x-axis,countfor the y-axis, and<user_selected_field2>for multiple lines group by dimension.