Document toolboxDocument toolbox

Cross-Search Line Chart

Owned by Juan Tomás Alonso Nieto (Unlicensed)
Last updated: Mar 22, 2021
2 min read

Overview

The Cross-search line chart lets you combine data from two separate tables to create a graph that compares similar data side by side in the form of a vertical bar/line graph.

What data do I need for this widget?

In order to generate the cross-search line chart, you need to run at least two queries with at least a numerical column in common. Furthermore, those queries need to have the data grouped and aggregated for the diagram to show meaningful data.

Creating the Cross-Search Line Chart

  1. Go to Data Search, open at least two queries and perform the necessary operations. 

  2. Click the gear icon on the toolbar and select Graphical Correlation → Cross-search line chart.

  3. Here is where you need to add signals so the diagram is constructed.
    Click and drag a column from the table and drop it onto the signals field. Then, select the other query in the navigation pane and repeat the process.



  4. The line chart is filled as you add columns. You can keep on adding columns from as many tables as you need.

  5. If you want to modify the signals used to construct the chart, click the settings button at the top right corner of the chart window .
  6. To save a screenshot of the chart, click the Save screenshot button at the top right corner of the chart window .

Work with your Cross-Search Line Chart

Once the diagram is constructed, you can work with it using the options that appear when you click the Configure Chart button at the top right corner of the chart window . These options coincide with those of the chart aggregation so if you want to know more about them you can check the Customizing your chart aggregation section of the chart aggregation article.

Save your Cross-Search Line Chart

You can save your cross-search line charts to access them again for further analysis without having to construct them again. Select the save icon at the top right corner of the graph window  and give it a name. To know how to access and manage them, check the save cross-search charts section of the graphical correlation article.

Query example

You can use the following queries to recreate the example shown in the images above:

from siem.logtrust.web.activity
  group every 5m by country
  every 5m
  select count() as count
from siem.logtrust.web.activity
  group every 5m by country
  every 5m
  select count() as count