Overview
This chart displays information as a series of data points over an x-axis of time. The data points can be displayed as points, lines, or columns as this chart type offers several options for visualization.
What data do I need for this widget?
The option to create this chart will be disabled unless your query groups events containing at least one numerical column.
Creating a chart aggregation
Customizing your chart aggregation
When the chart is displayed, chart tool icons are available in the upper-right of the window frame.
Click the paintbrush icon to display the options for customizing your chart. There are three different categories:
Non-temporal grouping
When a non-temporal grouping is selected, the line chart (chart aggregation is a line chart) becomes a column chart. The paintbrush is not prepared to set a column chart.
Working with chart aggregations
Hover over a point of the chart to see a tooltip with all the values.
You can hit the following keys to perform different visualization actions:
Shortcut keys | Description |
|---|---|
SPACE | Activates or deactivates the limit series that makes the diagram show only the most significant values or all of them. |
ALT + Left Click | Click on the chart to mark the point of a specific event, which will be visible when changing the chart type. |
D | Deletes the created marks in all types of charts. |
S | When you have several charts open, it activates/deactivates tooltip's synchronization in the one selected. This means that hovering over another chart will activate the tooltip in both. |
A | When you have several charts open, it activates/deactivates tooltip's synchronization in all charts. This means that hovering over a chart will activate the tooltip in all of them. |
? | Shows/hides the list of shortcut keys. |
Query example
You can recreate the example shown in the first picture with the data from the following query and mapping the fields as follows:
from siem.logtrust.web.activity group every 15s by srcPort every 15s select count() as count
Required field | Column added |
|---|---|
Signals (1) | count |
Signals (2) | srcPort |
In case you want an example with three signals, here is another query to construct another chart aggregation:
from siem.logtrust.web.activity group every 15s by contentLength, responseLength, responseTime every 15s
Required field | Column added |
|---|---|
Signals (1) | contentLength |
Signals (2) | responseLength |
Signals (3) | responseTime |