Document toolboxDocument toolbox

Creating a graph diagram

Owned by Juan Tomás Alonso Nieto (Deactivated)
May 23, 2022
7 min read
[ 1 Overview ] [ 2 How to create a graph diagram ] [ 3 Example ]

After querying the necessary data in the search window, click the gear icon on the toolbar and select Charts → Diagrams → Graph diagram to start building your graph. 

Overview

During the creation process of the graph, each column you add to the workspace (that is, every group of nodes in the final graph) is represented as an object defined by 3 factors: typename and attributes.

Type

By default, each column you add to the workspace is assigned a different type, which is a set of settings that affect all the corresponding nodes in the graph. You can group columns containing the same kind of information under the same type and apply the same settings to their values. To do it, select the type icon of a column and drag it to the new type you want it to be under.

See below how we group the srcpIp and dstIp columns under the same type (type-1). To unassign a type from a node, select the corresponding link and hit the Delete key.

To access the type settings, click the required type icon. You will see the options described in the following table:

Icon

Select an icon to represent the values belonging to the type column(s) in the graph.

Color by

Choose the metric you want to use to assign a color to each of the column values.

  • Type/Attribute - Apply the color selected in the Default Color setting to all the nodes, or use the values in the column added to the Color attribute as a metric. Learn more about this attribute below.

  • Size - Colors will be applied according to the size of the nodes. Choose the base color in the Default Color setting.

  • Degree - Colors will be applied according to the number of connections a node has with other nodes. Choose the base color in the Default Color setting.

Default color

Select the color for your nodes if you select Type/Attribute in the Color by setting. Besides, this color will serve as a base for the Size and Degree options.

Palette

Choose the color scale to be used for the Size and Degree options. The available options are Standard (8 colors), Pastel (24 colors) and Monochrome (10 colors).

Name

This is the name of the group of nodes, which corresponds to the name of the column. In the graph, this name will appear when you hover over a node, next to the assigned type.

Each node – that is, each distinct value of the columns added  will show their corresponding names in the graph. However, you can add them labels with names of other corresponding column values using the label attribute. See how to do it below.

Attributes

These are optional attributes that you can assign to each column. Drag a column to the corresponding attribute icons to use its values as labels, positions or colors

Label

The value names of the column you add here will be shown as labels of the nodes.

Each node will display the name of the corresponding value in the label column. In case a node has more than one associated values in the label column, only the first one will be displayed in the label, and the rest will be shown when you hover over the node.

Position

Column values can be represented on a map if you drag a column containing geocoordinates to this field. You must activate the Map mode option in the graph to display the world map and geolocate your nodes. Learn more in the Working in the graph diagram article.

Color

Drag the column header whose values will dictate the color of the nodes. The column must contain discrete values. If the values are string type, each distinct value will be displayed in a different color. If the values are integer or float type, a dark to light monochrome color palette is used for the minimum to maximum values.

You must select Type/Attribute in the Color by field of the corresponding type to apply this attribute.

How to create a graph diagram

Follow these steps to create your graph diagram:

  1. Go to Data Search and open the required table.

  2. Query the data as needed, then click the gear icon on the toolbar and select Charts → Diagrams → Graph diagram.

  3. Select and drag to the workspace the first column whose values you want to represent in the graph. Remember that each of the distinct values of the column will become a node in your graph. 

  4. Now click and drag the header of the column whose values you want to link to the ones of the previously added column, and set the type and attributes of both columns as necessary. 

    Note that at least two columns are required in order to build a graph diagram. Columns are automatically linked when you add them, thus creating the corresponding relationships between their nodes in the graph. To remove a link, select the arrow linking the columns and hit the Delete key. To create it again, hover over the column icon, click the + that appears and drag the mouse to the column you want to link to. You can add as many columns as required and create relationships as needed.

  5. When the first relationship is created, an icon appears to add link metrics. You can drag a column here to use its values as metric for definying the width of the links. For example, you can aggregate your data and add a count column to define the width of the links. You can add several metrics and choose the required one in the Link widths setting of the graph. Learn more about this in the Working in the graph diagram article.


  6. Before generating the graph diagram, you can configure the node selection mode in the graph. Select the ... button that appears at the bottom left corner, where you can choose a Selection mode. This will set the behavior when you double-click a node in your graph. Learn more about this setting in the Working in the graph diagram article. Moreover, you can add filters to show only specific values in the graph. Click the + icon, then enter the word you want to filter by and select the type(s) you want to apply the filter to. 

    In the example below, we want to get only GET values from the column(s) belonging to our type-0.

  7. Select Apply when everything is set up. The graph diagram is generated and you can see the relationships between the columns you selected, as well as setting different visualization and behavior options. See the Working in the graph diagram article to learn more about this.

Example

In the following example, we will create a graph diagram using the data from the following query:

from netstat.netflow.lt   select mmcoordinates(srcIp) as srcPos,     mmcoordinates(dstIp) as dstPos,     mmcountry(srcIp) as srcCountry,     mmcountry(dstIp) as dstCountry   group every 5m by srcIp, dstIp, srcPos, dstPos, srcCountry, dstCountry   every 5m   select count() as count

For a use case on how to build a graph diagram to detect and analyze accesses to malicious sites, see the Monitor intranet traffic to dangerous websites use case.