Cross-Search Sankey Diagram


The Sankey diagram is a very flexible type of chart that allows you to:

  • compare two fields from the same table according to an aggregate value.
  • compare information from two or more tables that are linked by a common field.

To start learning more about how to use this diagram, see this video where the DNS traffic of a company is analyzed using the Cross-Search Sankey diagram.

Sankey diagram using an aggregate value

Here we describe how to create this diagram using an example. We want to compare the performance of a web server by measuring the average response time of each country of origin and each ISP. 

  1. Run the following query:
    from web.apache.accessLt
    group every 30m by country, isp
    every 1h
    select avg(responseTime) as responseTime,
    count() as count
  2. Select Additional tools → Graphical Correlation → Cross Search Sankey diagram from the query toolbar.

  3. Click and drag the column headers to the corresponding variables. 
    • isp → Source node
    • response time → Link weight
    • country → Target node

  4. The Sankey diagram appears.

    • To view the response time values, hover the mouse over each value. 
    • If, for example, you want to see only the ISPs from USA, then filter the column country by USA value and the diagram results will be automatically updated.
    • You can also easily change the diagram fields and replace, for example, the response time column by count column.

Sankey diagram using the correlation between two tables

Suppose you want to measure the queries received by an organization's firewall and compare them with queries received by the web server from each country. This process shows how the firewall acts as a barrier for certain queries. 

  1. Run the following queries:

    Apache query Firewall query
    from web.apache.accessLt
    group every 30m by srcIp, country
    every 0
    select count() as count
    where ispublic(srcIp) 
    from firewall.all.traffic
    where ispublic(srcIp)
    select mmcountry(srcIp) as countryFW
    group every 30m by srcIp, countryFW
    every 0
    select count() as count
  2. With the Apache query visible, select Additional tools → Graphical correlation → Cross-Search Sankey diagram from the query toolbar.

  3. Click on the <> icon to open placeholder variables for the other table. 

  4. Click and drag the column headers from the web server query as follows:
    • scrIp → Source node
    • count → Link weight
    • country → Target node

  5. Now, click the Firewall query in the navigation panel to select that query and assign the fields to the placeholders.
    • Country FW → Source node
    • count → Link weight
    • scrIp → Target node

  6. The Sankey diagram appears.

    By hovering the mouse over each country, you get the number of queries (count). The number of queries detected by the firewall is always higher than the number of queries received by the web server.

Have we answered your question?

If not, please contact our technical support team via email by clicking the button below.