Versions Compared

Old Version 2

changes.mady.by.user Borja Moro Moreno

Saved on

compared with

New Version 3

changes.mady.by.user Borja Moro Moreno

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Table of Contents
maxLevel2
minLevel2
typeflat

Overview

This chart displays information as a series of data points over an x-axis of time. The data points can be displayed as points, lines, or columns as this chart type offers several options for visualization.  

What data do I need for this widget?

The option to create this chart will be disabled unless your query groups events containing at least one numerical column.

Creating a chart aggregation

Rw ui steps macro
Rw step

Go to Data Search and open the required table.

Rw step

Perform the required operations to get the data you want to use in the chart.

Rw step

Click the gear icon on the toolbar and select Charts → Plots → Chart Aggregation

Rw step

Click and drag the column headers to the corresponding fields. This chart requires you to select one field:

Required field

Data type

Signals (you can drag more than one column).

float, integer, duration

Rw step

The chart aggregation is displayed. Click the chart series names to show/hide them.

Image RemovedImage Added
Note

Large data sets

If the columns added to the chart generate a large number of points in the graph, the application will warn you that it may cause browser malfunction.

Anchor
customizingyourchartaggregation
customizingyourchartaggregation

Customizing your chart aggregation

When the chart is displayed, chart tool icons are available in the upper-right of the window frame.

Click the paintbrush icon to display the options for customizing your chart. There are three different categories:

Table of ContentsmaxLevel3

minLevel3

Info

Non-temporal grouping

When a non-temporal grouping is selected, the line chart (chart aggregation is a line chart) becomes a column chart. The paintbrush is not prepared to set a column chart.

Rw ui tabs macro
Rw tab
titleGraph visualization

Anchor
graphvisualization
graphvisualization
Graph visualization

Use these options to choose how you want to visualize the chart.

Image Removed
Image Added

In this area, you can change the font size clicking the A+ and A- buttons and select the required type of chart:

Line chart

This is the default style, which displays the data points connected by straight lines.

Area chart

This style fills in the area below the lines with colors.

Column chart

This style displays the data points as vertical bars.

Spline chart

This style displays the data points connected by smooth curved lines; useful for showing gradual changes. 

Area spline chart

This style creates a spline chart and fills in the area below the lines with colors.

Points and averages

This style displays the individual data points along with lines representing the data average. 

Specify the options for the graph on which the chart is plotted in the Graph Options section:

Stacked

This option groups data sets horizontally to facilitate comparison.

Stacked 100%

This option applies the relative percentage of the different data points on a y-axis of 0-100%.

Show grid

This option shows/hides the grid in the background.

Null to zeros

This option transforms null values into 0.

Show chart points

This option shows/hides data points. This option is not available if you have selected the Points and averages or Column chart style.

Show all series

This option shows the complete series. This process may take several minutes.

Accumulate series

This option displays data values in a cumulative frequency.

Show legend

This option shows/hides the legend under the chart, indicating the name of the series and its color.

Logarithmic axis

This option displays data using a logarithmic scale, useful when there is a large range of quantities.

Choose Dark or Light to assign a color scheme. Select Apply settings to all to apply this scheme to all your current open charts.

Rw tab
titleSeries

Anchor
series
series
Series

Here you can select the values you want to show/hide in the chart. This does not change the query itself.

 Image Removed

Image Added

Rw tab
titleSeries configuration

Anchor
seriesconfiguration
seriesconfiguration
Series configuration

You can configure the different series in the chart and create bands using two series in order to measure fluctuations.

Image Removed
Image Added

Click to show/hide vertical stripes indicating where the series have values higher than 0.

Image Removed
Image Added

Select two series in the left area and click Create band to add a new band. You can create several bands, assign them different colors and rename them.

Image Removed
Image Added

Working with chart aggregations

Hover over a point of the chart to see a tooltip with all the values.

You can hit the following keys to perform different visualization actions:

Shortcut keys

Description

Status
subtletrue
titleSpace

Activates or deactivates the limit series that makes the diagram show only the most significant values or all of them.

Status
subtletrue
titleAlt
 + Left Click

Click on the chart to mark the point of a specific event, which will be visible when changing the chart type.

Status
subtletrue
titleD

Deletes the created marks in all types of charts.

Status
subtletrue
titleS

When you have several charts open, it activates/deactivates tooltip's synchronization in the one selected. This means that hovering over another chart will activate the tooltip in both.

Status
subtletrue
titleA

When you have several charts open, it activates/deactivates tooltip's synchronization in all charts. This means that hovering over a chart will activate the tooltip in all of them.

Status
subtletrue
title?

Shows/hides the list of shortcut keys.

Query example

You can recreate the example shown in the first picture with the data from the following query and mapping the fields as follows:

Code Block
from siem.logtrust.web.activity
  group every 15s by srcPort
  every 15s
  select count() as count

Required field

Column added

Signals (1)

count

Signals (2)

srcPort

In case you want an example with three signals, here is another query to construct another chart aggregation:

Code Block
from siem.logtrust.web.activity
  group every 15s by contentLength, responseLength, responseTime
  every 15s

Required field

Column added

Signals (1)

contentLength

Signals (2)

responseLength

Signals (3)

responseTime