Table of Contents | ||||||
---|---|---|---|---|---|---|
|
Overview
This chart displays information as a series of data points over an x-axis of time. The data points can be displayed as points, lines, or columns as this chart type offers several options for visualization.
What data do I need for this widget?
The option to create this chart will be disabled unless your query groups events containing at least one numerical column.
Creating a chart aggregation
Rw ui steps macro | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
Go to Data Search and open the required table.
Perform the required operations to get the data you want to use in the chart.
Click the gear icon on the toolbar and select Charts → Plots → Chart Aggregation.
Click and drag the column headers to the corresponding fields. This chart requires you to select one field:
The chart aggregation is displayed. Click the chart series names to show/hide them.
|
Anchor | ||||
---|---|---|---|---|
|
Customizing your chart aggregation
When the chart is displayed, chart tool icons are available in the upper-right of the window frame.
Click the paintbrush icon to display the options for customizing your chart. There are three different categories:
Info |
---|
Non-temporal grouping When a non-temporal grouping is selected, the line chart (chart aggregation is a line chart) becomes a column chart. The paintbrush is not prepared to set a column chart. |
Rw ui tabs macro | ||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Rw tab | ||||||||||||||||||||||||||||||||||||||
Expand | ||||||||||||||||||||||||||||||||||||||
| ||||||||||||||||||||||||||||||||||||||
In this area, you can change the font size clicking the A+ and A- buttons and select the required type of chart:
Specify the options for the graph on which the chart is plotted in the Graph Options section:
Choose Dark or Light to assign a color scheme. Select Apply settings to all to apply this scheme to all your current open charts. rw-tab |
Expand | ||||||
---|---|---|---|---|---|---|
| ||||||
Here you can select the values you want to show/hide in the chart. This does not change the query itself. rw-tab |
Expand | ||||||
---|---|---|---|---|---|---|
| ||||||
You can configure the different series in the chart and create bands using two series in order to measure fluctuations. Click to show/hide vertical stripes indicating where the series have values higher than 0. Select two series in the left area and click Create band to add a new band. You can create several bands, assign them different colors and rename them. |
Working with chart aggregations
Hover over a point of the chart to see a tooltip with all the values.
You can hit the following keys to perform different visualization actions:
Shortcut keys | Description | ||||||
---|---|---|---|---|---|---|---|
| Activates or deactivates the limit series that makes the diagram show only the most significant values or all of them. | ||||||
| Click on the chart to mark the point of a specific event, which will be visible when changing the chart type. | ||||||
| Deletes the created marks in all types of charts. | ||||||
| When you have several charts open, it activates/deactivates tooltip's synchronization in the one selected. This means that hovering over another chart will activate the tooltip in both. | ||||||
| When you have several charts open, it activates/deactivates tooltip's synchronization in all charts. This means that hovering over a chart will activate the tooltip in all of them. | ||||||
| Shows/hides the list of shortcut keys. |
Query example
You can recreate the example shown in the first picture with the data from the following query and mapping the fields as follows:
Code Block |
---|
from siem.logtrust.web.activity group every 15s by srcPort every 15s select count() as count |
Required field | Column added |
---|---|
Signals (1) | count |
Signals (2) | srcPort |
In case you want an example with three signals, here is another query to construct another chart aggregation:
Code Block |
---|
from siem.logtrust.web.activity group every 15s by contentLength, responseLength, responseTime every 15s |
Required field | Column added |
---|---|
Signals (1) | contentLength |
Signals (2) | responseLength |
Signals (3) | responseTime |