Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 3 Current »

 Watch video tutorial

Overview

The Sankey diagram is a very flexible type of chart that allows you to:

  • Compare two fields from the same table according to an aggregate value.

  • Compare information correlating two or more tables that are linked by a common field.

What data do I need for this widget?

In order to generate the cross-search sankey diagram using an aggregate value, you need to run a single query with at least three columns, one of them numerical. Furthermore, that query needs to have the data grouped for the diagram to show meaningful data.

In order to generate the cross-search sankey diagram using correlation, you need to run at least two queries with at least three columns, one of them numerical and one of them in common. Furthermore, those queries need to have the data grouped for the diagram to show meaningful data.

Create a cross-search Sankey diagram using a single table

Create a cross-search Sankey diagram using several tables

  1. If you click the stats switch, the legend explaining the links contained in the diagram will be hidden.

  2. Clicking the inner join switch will split the merged variables and show their data separately instead of correlated.

  3. In case you want to know the values that segments represent, hover over each of them to activate a tooltip with the information.

  4. To modify the columns used to create the chart, click the settings button at the top right corner of the table window .

  5. You can download your cross-search table join as a CSV file by clicking the Export data as CSV button at the top right corner of the table window .

Query example

You can use the following queries to recreate the examples shown in the images above:

  1. Sankey diagram using an aggregate value:

    from siem.logtrust.web.navigation
  group every 5m by userEmail, srcPort, action, city
  every 5m
  select count() as count

  2. Sankey diagram using the correlation between two tables:

    from siem.logtrust.web.navigation
  group every 5m by userEmail, action, srcPort, city
  every 5m
  select count() as count

    from siem.logtrust.web.activity
  group every 5m by srcPort, username, responseTime, city
  every 5m
  • No labels