The line chart widget draws a standard line chart where the x-axis is always time. Use this to plot one or several series of data points over the same time period to create a line or lines. These are useful when you want to analyze how a single entity has changed over time, or to compare the evolution of similar groups over time.
What data do I need for this widget?
If the source query groups events, it must also contain an aggregated value for each group (a count, average, maximum, mean, etc.).
If the source query does not group events, you will have to choose the metric to use for the y-axis. This is done in the widget's visual settings.
Events grouped by time and a second or third grouping element will be capable of plotting multiple lines over the selected time range.
Widget settings
To edit the widget settings, you must first activate the Edit mode.
Click the widget title bar to open its settings. Alternatively, the settings are accessible via the Ellipsis icon → Properties. The widget settings are contained in three tabs, Data, Visual, and Raw.
The settings in the Data and Raw tabs are described in the Create a widget article. These are the Visual settings for the line chart:
Category | Setting | Description |
|---|---|---|
Fields | X-Axis | This will default to the eventdate field making the x-axis a timeline. You can change this by selecting a different field. If the query used contains more than one suitable field for this axis, they will be available to select in the dropdown and plotted correlated on the chart upon selection. |
Y-Axis (Number) | The values of this field are used to plot the y-axis and must be metrics. If the query used contains more than one suitable field for this axis, they will be available to select in the dropdown and plotted correlated on the chart upon selection. | |
Series | Choose a field here that will be used to plot multiple lines in the chart. When plotting multiple series on a line chart, use the Max Series setting to specify a maximum number of series. | |
Fill Gaps | Fill Gaps | If your query has a grouping clause, there will be periods of time where no data is received. You can decide how to draw this point:
 |
General | Inverted | Toggle ON to invert the Y-axis. |
Max Series | This is the maximum number of lines to plot on the chart. This is done to avoid overcrowding and to maintain readability.
| |
Default Type | This is the style of line chart to apply. The list of options includes Line, Spline, Column, Area, and Area + Spline. All of these chart types are plotted using an X and Y axis and this setting lets you switch between different styles to apply the one the best suits your data. Spline is selected by default when you create this type of widget. | |
Axis Properties | X-Axis | For each field that contributes to the x-axis, enter a Title and data Type. The Title is simply a label to display for the axis. The Type that you select here will be applied to the values used for the x-axis.
|
Y-Axis | For each field that contributes to the y-axis, enter a Title and data Type. The Title is simply a label to display for the axis. The Type that you select here will be applied to the values used for the y-axis.
You can decide the maximum and minimum values to be displayed in the y-axis in the Max displayed and Min displayed fields. If you don't enter any value, the limits will be automatically calculated. | |
Series | For each data series, this group of settings enable you to customize their individual characteristics. | |
ID | Unique, internal identifier for this data series. | |
Name | The label for the series. This will appear in the tooltip and in the chart legend. | |
Color | Select the color for the data series. | |
Line Width | This is the width of the line in pixels. | |
Dash Style | Choose a dashed line style for the selected data series. | |
Type | Select display style for the selected series. Choose from Line, Spline, Column, Area, and Area + Spline. | |
Stack Group | This is an adapted version of the stacking capability offered by the stacked area chart widgets. You can transform the widget as explained here to get a stacked widget and enjoy the full capability. Use this option to group series that belong together for the context of your analysis and show them stacked on the chart. Series will be shown as part of the group assigned, while series that are not assigned to a group will be shown inside the Default stack group. You can either select an existing group or create a new one. A group is available to select as long as it is used for at least one series. To create a new one, simply click inside the field, write the desired name, and press the Enter key or click the Create ”Name” field that appears right below. | |
Legend | Horizontal alignment | Select the horizontal alignment of the legend that indicates the different series. Choose center, right or left. |
Vertical alignment | Select the vertical alignment of the legend. Choose bottom, top or middle. | |
Legend layout | Select the layout alignment of the legend. Choose horizontal or vertical. | |
Size | The range of values (from 16px to 320px). | |
Tips for using a line chart
Here are a few tips to get the most out of your line chart:
Move your mouse over the chart to display a tooltip that contains detailed information about the series plotted in the chart.
Click and drag across a section of the chart to zoom to the time period in the chart. Click Reset zoom to go back to the default view.
Hover over a data series in the chart legend to dim the rest of them down in the chart or click it to hide it or show it. You can also click the Hide all Series / Show all series button at the top right corner to hide / show all the series in the chart.
Query example
This is the source query used and the fields mapped to generate the widget shown above:
query( from siem.logtrust.web.activity group every 1h by username, method, responseTime, responseLength select count() as count )
X-axis | eventdate |
|---|---|
Y-axis | count |
Series | method |