Visualization

1. Go to Visualization displays a table view with a list of visualizations. You can sort them by name or last modification, edit or delete. Click visualization name to see a preview.

visualizations-8.png

2. You can filter by:

  • visualization
  • chart type: line, bar, chart, etc
  • data nature: event, logx, and vulnerability.
  • time: Set the creation and modification time

You can select between 12 different types of graphs to build a visualization: 

• Line, area, and bar charts: Compares different series in X/Y charts.
• Pie chart: Displays each source contribution to a total.
• Data table: Displays results in table format.
• Metric: Displays a single number.
• Maps: The map visualizes IP addresses that belong to network hosts. Mouse over any element to display the OS system, name, and the severity of the alert.
• Gauge

3. Go to New visualization to create a new visualization.

new-visualization.png

The user must first specify the source: event, logx, or vulnerability. Then, select between 12 different types of graphs to build a visualization: line, bar, pie, gauge, map, etc.

Edit visualization

The visualization builder lets you manipulate the data to edit or customize the visualizations. You can see the multifaceted collected data in a simple and intuitive way.

You can filter by field, operator, and time:

  • Field: Limit the search to a particular data type.
  • Operator: Filter by condition using advanced criteria, such as if a value is equal to or in between certain values.
  • Time: Use customized time ranges, or apply the predefined filters.

Agregation

Aggregation refers to the collection of documents or a set of documents obtained from a particular search query or filter.

You can use the supported aggregations to build your visualizations. Metric aggregations extract field from documents to generate data values. You can add different metrics and apply a custom label.

UTMSTack supports the following aggregations:

Average

The mean value.

Count

The total number of documents that match the query, which allows you to visualize the number of documents in a bucket. Count is the default value.

Max

The highest value.

Median

The value that is in the 50% percentile.

Min

The lowest value.

Sum

The total value.

Unique Count

The Cardinality of the field within the bucket.

Buckets aggregations

Bucket aggregations creates buckets or sets of documents based on certain criteria. Depending on the aggregation type, you can create filtering buckets, that is, buckets representing different value ranges and intervals for numeric values, dates, IP ranges, and more Bucket aggregations sort documents into buckets, depending on the contents of the document.

UTMSTack supports the following aggregation buckets:

Date histogram

Terms

Splits a date field into buckets by interval. If the date field is the primary time field for the index pattern, it chooses an automatic interval for you. Intervals are labeled at the start of the interval. For example, the tooltip for a monthly interval displays the first day of the month.

Specify the top or bottom n elements of a given field to display, ordered by count or a custom metric. Supports exclude and include patterns.

In order to use it with text you will need to enable fielddata and custom label.

 

The visualization can be downloaded as an image, restored, or displayed as data.

Saving

After finishing building the visualization, you can enter a title and optionally a description. You can enable the option: Save as new visualization.