Chart aggregation

[ 1 Overview ] [ 2 What data do I need for this widget? ] [ 3 Creating a chart aggregation ] [ 4 Customizing your chart aggregation ] [ 5 Working with chart aggregations ] [ 6 Query example ]

Overview

This chart displays information as a series of data points over an x-axis of time. The data points can be displayed as points, lines, or columns as this chart type offers several options for visualization.

What data do I need for this widget?

The option to create this chart will be disabled unless your query groups events containing at least one numerical column.

Creating a chart aggregation

Customizing your chart aggregation

When the chart is displayed, chart tool icons are available in the upper-right of the window frame. Click the paintbrush icon to display the options for customizing your chart.

Non-temporal grouping

When a non-temporal grouping is selected, the line chart (chart aggregation is a line chart) becomes a column chart. The paintbrush is not prepared to set a column chart.

There are three different categories to customize your chart:

Use these options to choose how you want to visualize the chart.

In this area, you can change the font size clicking the A+ and A- buttons and select the required type of chart:

Line chart	This is the default style, which displays the data points connected by straight lines.
Area chart	This style fills in the area below the lines with colors.
Column chart	This style displays the data points as vertical bars.
Spline chart	This style displays the data points connected by smooth curved lines; useful for showing gradual changes.
Area spline chart	This style creates a spline chart and fills in the area below the lines with colors.
Points and averages	This style displays the individual data points along with lines representing the data average.

Specify the options for the graph on which the chart is plotted in the Graph Options section:

Stacked	This option groups data sets horizontally to facilitate comparison.
Stacked 100%	This option applies the relative percentage of the different data points on a y-axis of 0-100%.
Show grid	This option shows/hides the grid in the background.
Null to zeros	This option transforms null values into 0.
Show chart points	This option shows/hides data points. This option is not available if you have selected the Points and averages or Column chart style.
Show all series	This option shows the complete series. This process may take several minutes.
Accumulate series	This option displays data values in a cumulative frequency.
Show legend	This option shows/hides the legend under the chart, indicating the name of the series and its color.
Logarithmic axis	This option displays data using a logarithmic scale, useful when there is a large range of quantities.

Choose Dark or Light to assign a color scheme. Select Apply settings to all to apply this scheme to all your current open charts.

Here you can select the values you want to show/hide in the chart. This does not change the query itself.

You can configure the different series in the chart and create bands using two series in order to measure fluctuations.

Click to show/hide vertical stripes indicating where the series have values higher than 0.
Select two series in the left area and click Create band to add a new band. You can create several bands, assign them different colors and rename them.

Working with chart aggregations

Hover over a point of the chart to see a tooltip with all the values.

You can hit the following keys to perform different visualization actions:

Shortcut keys	Description

Shortcut keys	Description
Space	Activates or deactivates the limit series that makes the diagram show only the most significant values or all of them.
Alt + Left Click	Click on the chart to mark the point of a specific event, which will be visible when changing the chart type.
D	Deletes the created marks in all types of charts.
S	When you have several charts open, it activates/deactivates tooltip's synchronization in the one selected. This means that hovering over another chart will activate the tooltip in both.
A	When you have several charts open, it activates/deactivates tooltip's synchronization in all charts. This means that hovering over a chart will activate the tooltip in all of them.
?	Shows/hides the list of shortcut keys.

Query example

You can recreate the example shown in the first picture with the data from the following query and mapping the fields as follows:

Query	Required field	Column added

Query	Required field	Column added
`from siem.logtrust.web.activity group every 15s by srcPort every 15s select count() as count`	Signals (1)	count
	Signals (2)	srcPort

In case you want an example with three signals, here is another query to construct another chart aggregation:

Query	Required field	Column added

Query	Required field	Column added
`from siem.logtrust.web.activity group every 15s by contentLength, responseLength, responseTime every 15s`	Signals (1)	contentLength
	Signals (2)	responseLength
	Signals (3)	responseTime