Creating a graph diagram
Here we describe how to create a graph diagram:
Run a query (see an example below).
select mmcoordinates(srcIp) as srcPos,
mmcoordinates(dstIp) as dstPos,
mmcountry(srcIp) as srcCountry,
mmcountry(dstIp) as dstCountry
group every 5m by srcIp, dstIp, srcPos, dstPos, srcCountry, dstCountry
select count() as count
Select Additional tools → Charts → Diagrams → Graph diagram from the query toolbar.
Click and drag the column header that contains the values to be represented as the first node in the graph diagram to the workspace. In this example, is the srcIp column.
The dragged column now appears in the workspace as a node with four related elements:
In order to delete any element in the workspace, simply select the element and press the DELETE key.
- Node type - Select the type to choose and icon and color in order to identify nodes of the same type within the final diagram.
- Node label - Corresponds to the name of the column you added as a node. You can change it by dragging another column to the magnifying glass icon in the node.
- Node position - Click and drag the column header whose values are geocoordinates that describe the node's position. This is optional and only used to plot nodes on a world map if geocoordinates are available.
- Node color - Click and drag the column header whose values will dictate the color of the nodes. The column must contain discrete values. If the values are string type, each distinct node will be displayed in a different color. If the values are number type, a dark to light monochrome color palette is used for the minimum to maximum values, respectively.
Click and drag the column header that will be the second node. In this example, this is the dstIp column. Note that at least two nodes are required in order to build a Graph diagram. The second node appears in the workspace with a connection between the two nodes automatically created.
Click and drag the column header whose column values will define the relationship between the nodes. In this example, this is the count column.
Click and drag the column headers of the columns containing the geo-coordinates of the two nodes. In this example, these are the srcPos and dstPos columns.
Geolocation operations are available to generate geolocated information based upon existing table data, such as IP address. In this data table, the srcPos and dstPos columns were generated using the Latitude and longitude coordinates operation.
Click and drag the column headers of the columns with the descrete values that will color-code the two nodes. In this example, these are the srcCountry and dstCountry columns.Geolocation operations are available to generate geolocated information based upon existing table data, such as IP address. In this data table, the srcCountry and dstCountrycolumns were generated using the Geolocated Country operation.
- By default, the label of the node corresponds to the column name. However, you can drag a column to the magnifying glass icon. This way, nodes will be labeled after those columns.
- To change a node icon or color, select the node type and use the options available at the bottom of the workspace.
Click Apply when you have defined the nodes, and their links, labels, positions, and colors. The graph diagram is displayed.
Hover over any node to open a tooltip summarizing its key information.
- Activate Map mode to display the nodes on a world map.
You can further customize the graph using the options available in the Graph diagram menu on the left panel of the graph window.
To maximize the graph to full screen, double-click on an empty space in the graph. To return to the default size, press ESC.