Commands for Visualizations Mod 3

Question 1

When a search returns statistical values, results can be viewed with a wide variety of visualization types

Answer 1

• statistics table
• charts: line, column, pie, etc
• single value, gauges
• maps
• many more

Question 2

A ____ is a series sequence of related data points that are plotted in a visualization.

Answer 2

Data series

Question 3

True or False: Data series can generate any statistical or visualization results.

Answer 3

True

Question 4

True or False: Most visualizations require search results structured as tables, with at least two columns, a single series.

Answer 4

True

Question 5

To get multi-series tables, you need to set up the underlying search with reporting search commands like ___ or ____

Answer 5

chart or timechart

Question 6

Time series

Answer 6

Displays statistical trends over time

*can be single-series or multi-series

Question 7

What are the 7 chart types?

Answer 7

Line
Area
Column
Bar
Bubble
Scatter
Pie

Question 8

What does a scatter chart show?

Answer 8

It shows trends in the relationships between discrete data values
*generally, it shows discrete values that do not occur at regular intervals or belong to a series

Question 9

What does a bubble chart provide?

Answer 9

It provides a way to view a 3-dimensional series.

*The size of the bubble represents the value for the 3rd dimension

Question 10

For line, area, and column charts, where does the x-axis lie?

Answer 10

Horizontal

Question 11

Where does the x-axis lie in a bar chart?

Answer 11

Vertical

Question 12

What does the chart command do?

Answer 12

It displays any series of data that you want to plot

Question 13

“chart command requirements”

The function defines the value of the y-axis, therefore it should be ___?

Answer 13

Numeric

Question 14

Where do the values from the by clause display?

Answer 14

In legend

Question 15

“chart command requirements”

The first field after the over clause is the ___?

Answer 15

x-axis

Question 16

“chart command requirements”

Using the over and by clauses divides the data into ___?

Answer 16

sub-groupings

Question 17

chart avg(bytes) over host

Answer 17

The host values display over the x-axis

Question 18

chart avg(bytes) over host by product_name

Answer 18

The host field is the x-axis and the series is further split by product_name

Question 19

What kind of results will you get if you used the chart command count over field?

Answer 19

Count functions tallies the number of events for each value in the result set

Question 20

How many dimensions can you split your chart results over?

Answer 20

Just 2 dimensions (unlike stats results)

Question 21

What can you use with the “over” clause to split results?

Answer 21

The “by” clause.

Question 22

chart and timechart commands automatically filter results to include the ___ highest values?

Answer 22

10 highest values

*surplus values are grouped into OTHER

Question 23

What do you use if you want to remove empty (NULL) and OTHER field values from displaying?

Answer 23

• useother=f

- usenull=f

Question 24

What is another way you can get rid of null values?

Answer 24

Add itemId=* to the base search

Question 25

What argument would you use to adjust the number of plotted series?

Answer 25

limit argument

Question 26

When you have a split by two dimensions which option does the limit argument apply to?

Answer 26

It applies to the second split.

Question 27

What doe the timechart command do?

Answer 27

It performs statistical aggregations against time and plots and trends data over time

Question 28

What axis is _time always on?

Answer 28

The x-axis

Question 29

What form are timecharts best for?

Answer 29

Line and Area charts

Question 30

True or False: Functions and arguments used with stats and chart can also be used with timechart?

Answer 30

True

Question 31

Unlike stats how many fields can be specified after the by clause when using the timechart command?

Answer 31

One

Question 32

Why can you only use 1 field after the by clause when using the timechart command?

Answer 32

Because _time is the implied first b field.

Question 33

Which axis represents the count for each filed value?

Answer 33

The y-axis

Question 34

What happens when the multi-series mode is set to NO?

Answer 34

All fields share the y-axis

Question 35

What happens when the multi-series mode is set to YES?

Answer 35

The y-axis is split for each field value

Question 36

When you use the timechart command it buckets the values of the _time field, which does what for the user?

Answer 36

This provides dynamic sampling intervals, based upon the time range of the search

Question 37

True or False: Like with the stats and chart commands, you can apply statistical functions to the timechart command?

Answer 37

True, you can add statistical functions

Question 38

List the functions of the Trellis layout?

Answer 38

- It displays multiple charts based on one result set - Allows visual comparison between different categories - Data only fetched once

Question 39

What should you use if you want to calculate statistics with an arbitrary field as the x-axis that is not _time?

Answer 39

You should use a chart

Question 40

When you use a by clause with the chart command what is the output?

Answer 40

It is a table and each column represents a distinct value of the split-by field

Question 41

When would you want to use the timechart command to calculate statistics?

Answer 41

When you want the x-axis to have _time

Question 42

What happens when you introduce a by clause to the timechart command?

Answer 42

It becomes a table and each column represents a distinct value of the split-by field

Question 43

When is a good time to use the stats command to calculate statistics?

Answer 43

When you want to use 2 or more fields that are not time-based

Question 44

What command should you use when you want to count the frequency of a field(s)?

Answer 44

You should use the top and rare command