Versions Compared

Old Version 1

changes.mady.by.user Juan Tomás Alonso Nieto

Saved on

compared with

New Version Current

changes.mady.by.user Anthony Shevlin

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Table of Contents
typeflat

Overview

The Sankey diagram is a very flexible type of chart that allows you to:

  • Compare two fields from the same table according to an aggregate value.

  • Compare information correlating two or more tables that are linked by a common field.

What data do I need for this widget?

In order to generate the cross-search sankey diagram using an aggregate value, you need to run a single query with at least three columns, one of them numerical. Furthermore, that query needs to have the data grouped for the diagram to show meaningful data.

In order to generate the cross-search sankey diagram using correlation, you need to run at least two queries with at least three columns, one of them numerical and one of them in common. Furthermore, those queries need to have the data grouped for the diagram to show meaningful data.

Create a cross-search Sankey diagram using a single table

Rw ui steps macro
Rw step

Go to Data Searchsearch, open a query and perform the necessary operations.

Rw step

Click the gear icon options menu on the toolbar and select Graphical Correlation correlation → Cross-search sankey diagram.

Rw step

Here is the set of variables the diagram needs to be constructed. The Source node, the Link weight and the Target node. The source will be placed to the left side of the diagram, the source to the right and the links will establish the connection between them based on the values.

Rw step

Click and drag the columns from the table and drop them onto the corresponding variables.

Image Removed
Info

  • If you added a column by mistake or simply want to substitute it by a different one, you can either drag another column onto it or remove it first by clicking the cross inside the box next to the name.

  • If you try to add an incompatible column, an error message will appear below the table variables before releasing the mouse. This error message explains the reason for the incompatibility.

Rw step

The Sankey diagram appears. The source and the target nodes are connected by the link values.

Image RemovedImage Added
Rw step

If you click the stats switch, the legend explaining the links contained in the diagram will be hidden.

Rw step

Clicking the inner join switch will not show any actual change because it is designed for diagrams constructed with two different queries to correlate data. We will see this information later in this article.

Rw step

In case you want to know the values that segments represent, hover over each of them to activate a tooltip with the information.

Rw step

To modify the columns used to create the chart, click the settings button at the top right corner of the table window Image Removed.

Rw step

You can download your cross-search table join as a CSV file by clicking the Export data as CSV button at the top right corner of the table window Image Removed.

Create a cross-search Sankey diagram using several tables

Rw ui steps macro
Rw step

Go to Data Searchsearch, open at least two queries and perform the necessary operations.

Rw step

Click the gear icon options menu on the toolbar and select Graphical Correlation correlation → Cross-search graph sankey diagram.

Rw step

Click the window symbol next to the unknown table name to add the variables for a second table. Be aware that after the first column is added, the unknown name will become the name of the table that contains the column.

Rw step

Here is the set of variables the diagram needs to be constructed. The Target node of the first table is linked to the Source node of the following. This is designed to add the columns that are shared by both tables so Devo can use them as the central variable to merge the two tables. They need to have the same name or have the same data type and structure, otherwise they will not be accepted.
Click and drag the columns from the table and drop them onto the corresponding variables. Then, select the other query in the navigation pane and repeat the process.

Image Removed

Info

  • If you accidentally added to your diagram workspace more tables than you needed or you do not want them for whatever reason, you can remove them. To do that, click the cross next to the table name.

  • If you added a column by mistake or simply want to substitute it by a different one, you can either drag another column onto it or remove it first by clicking the cross inside the box next to the name.

  • If you try to add an incompatible column, an error message will appear below the table variables before releasing the mouse. This error message explains the reason for the incompatibility.

Rw step

The new table appears. The rows from different tables whose data can be correlated through a common column are merged together.

Image RemovedImage Added

Anchor
innerjoin
innerjoin

  1. If you click the stats switch, the legend explaining the links contained in the diagram will be hidden.

  2. Clicking the inner join switch will split the merged variables and show their data separately instead of correlated.

  3. In case you want to know the values that segments represent, hover over each of them to activate a tooltip with the information.

  4. To modify the columns used to create the chart, click the settings button at the top right corner of the table window

...

  1. .

  2. You can download your cross-search table join as a CSV file by clicking the Export data as CSV button at the top right corner of the table window

...

  1. .

Query example

You can use the following queries to recreate the examples shown in the images above:

  1. Sankey diagram using an aggregate value:

    Code Block
    from siem.logtrust.web.navigation
  group every 5m by userEmail, srcPort, action, city
  every 5m
  select count() as count

  2. Sankey diagram using the correlation between two tables:

    Code Block
    from siem.logtrust.web.navigation
  group every 5m by userEmail, action, srcPort, city
  every 5m
  select count() as count

    Code Block
    from siem.logtrust.web.activity
  group every 5m by srcPort, username, responseTime, city
  every 5m