Searching data / Working in the search window / Generate charts / Graph diagram / Creating a graph diagram
Creating a graph diagram
After querying the necessary data in the search window, select Additional tools → Charts → Diagrams → Graph diagram to start building your graph.
Overview
During the creation process of the graph, each column you add to the workspace (that is, every group of nodes in the final graph) is represented as an object defined by 3 factors: type, name and attributes.
Type
By default, each column you add to the workspace is assigned a different type, which is a set of settings that affect all the corresponding nodes in the graph. You can group columns containing the same kind of information under the same type and apply the same settings to their values. To do it, select the type icon of a column and drag it to the new type you want it to be under.
See below how we group the srcpIp and dstIp columns under the same type (type-1). To unassign a type from a node, select the corresponding link and hit the DELETE key.
To access the type settings, click the required type icon. You will see the options described in the following table:
| Icon | Select an icon to represent the values belonging to the type column(s) in the graph. |
|---|---|
| Color by | Choose the metric you want to use to assign a color to each of the column values.
|
| Default color | Select the color for your nodes if you select Type/Attribute in the Color by setting. Besides, this color will serve as a base for the Size and Degree options. |
| Palette | Choose the color scale to be used for the Size and Degree options. The available options are Standard (8 colors), Pastel (24 colors) and Monochrome (10 colors). |
Name
This is the name of the group of nodes, which corresponds to the name of the column. In the graph, this name will appear when you hover over a node, next to the assigned type.
Each node – that is, each distinct value of the columns added – will show their corresponding names in the graph. However, you can add them labels with names of other corresponding column values using the label attribute. See how to do it below.
Attributes
These are optional attributes that you can assign to each column. Drag a column to the corresponding attribute icons to use its values as labels, positions or colors.
Label | The value names of the column you add here will be shown as labels of the nodes. Each node will display the name of the corresponding value in the label column. In case a node has more than one associated values in the label column, only the first one will be displayed in the label, and the rest will be shown when you hover over the node.
|
|---|---|
Position | Column values can be represented on a map if you drag a column containing geocoordinates to this field. You must activate the Map mode option in the graph to display the world map and geolocate your nodes. Learn more in the Working in the graph diagram article. |
Color | Drag the column header whose values will dictate the color of the nodes. The column must contain discrete values. If the values are string type, each distinct value will be displayed in a different color. If the values are integer or float type, a dark to light monochrome color palette is used for the minimum to maximum values. You must select Type/Attribute in the Color by field of the corresponding type to apply this attribute. |
How to create a graph diagram
Follow these steps to create your graph diagram:
Go to Data Search and open the required table.
Query the data as needed and select Additional tools → Charts → Diagrams → Graph diagram from the toolbar.
Select and drag to the workspace the first column whose values you want to represent in the graph. Remember that each of the distinct values of the column will become a node in your graph.
Now click and drag the header of the column whose values you want to link to the ones of the previously added column, and set the type and attributes of both columns as necessary.
Note that at least two columns are required in order to build a graph diagram. Columns are automatically linked when you add them, thus creating the corresponding relationships between their nodes in the graph. To remove a link, select the arrow linking the columns and hit the DELETE key. To create it again, hover over the column icon, click the + that appears and drag the mouse to the column you want to link to. You can add as many columns as required and create relationships as needed.
- When the first relationship is created, an icon appears to add link metrics. You can drag a column here to use its values as metric for definying the width of the links. For example, you can aggregate your data and add a count column to define the width of the links. You can add several metrics and choose the required one in the Link widths setting of the graph. Learn more about this in the Working in the graph diagram article.
Before generating the graph diagram, you can configure the node selection mode in the graph. Select the ... button that appears at the bottom left corner, where you can choose a Selection mode. This will set the behavior when you double-click a node in your graph. Learn more about this setting in the Working in the graph diagram article. Moreover, you can add filters to show only specific values in the graph. Click the + icon, then enter the word you want to filter by and select the type(s) you want to apply the filter to.
In the example below, we want to get only GET values from the column(s) belonging to our type-0.
Select Apply when everything is set up. The graph diagram is generated and you can see the relationships between the columns you selected, as well as setting different visualization and behavior options. See the Working in the graph diagram article to learn more about this.
Example
In the following example, we will create a graph diagram using the data from the following query:
from netstat.netflow.lt
select mmcoordinates(srcIp) as srcPos,
mmcoordinates(dstIp) as dstPos,
mmcountry(srcIp) as srcCountry,
mmcountry(dstIp) as dstCountry
group every 5m by srcIp, dstIp, srcPos, dstPos, srcCountry, dstCountry
every 5m
select count() as countGo to Data Search → Free Text Query, paste the query script in the text field and select Run.
Select Additional tools → Charts → Diagrams → Graph diagram from the query toolbar.
Select the srcIp and dstIp columns and drag them to the workspace. Both columns will be automatically linked.
Click and drag the column header whose column values will define the relationship between the nodes. In this example, this is the count column.
Now we will add the srcPos and dstPos columns in our query to geolocate our IP addresses on a map. Drag them to the position attribute of the corresponding column (srcPos → srcIp / dstPos → dstIp).
Drag the srcCountry and dstCountry columns to the color attribute of the corresponding column, which contain the discrete values that will color-code the nodes of the columns added (srcCountry → srcIp / dstCountry → dstIp).
Geolocation operations are available to generate geolocated information based upon existing table data, such as IP address. In this data table, the srcPos and dstPos columns were generated using the Latitude and longitude coordinates operation, and the srcCountry and dstCountry columns were generated using the Geolocated Country operation.
Click Apply to generate the graph diagram. Finally, toggle on the Map mode option to geolocate the IP addresses on the world map. Note that nodes with null geolocations will be located on the Atlantic Ocean.
For an use case on how to build a graph diagram to detect and analyze accesses to malicious sites, see the Monitor intranet traffic to dangerous websites use case.