How to create chart

Hello,
I try create chart but ...
I have 4 queries:

  1. Messages Sent (Internal)
    "query": "event_id: \"SEND\" AND connector_id: \"Intra-Organization SMTP Send Connector\" AND directionality: \"Originating\""

  1. Messages Sent
    "query": "event_id: \"SEND\" AND connector_id: \"Outbound Internet Mail\""

  1. Messages Received
    "query": "event_id: \"DELIVER\" AND directionality: \"Incoming\""

  1. Messages Received (Internal)
    "query": "event_id: \"DELIVER\" AND directionality: \"Originating\""

I would like to have such cumulative chart like this

How can I do this?

Hi @zen.xen,
from my understanding you could use Vertical Bar Chart. Your queries seem to be a bit complex so what you need is to create filters aggregation, you can also add custom labels. Here's the example with sample data:

Btw, I noticed you are using lens to creating your chart – the filters functionality for Lens will appear in the upcoming version 7.10.
Let me know if you need further guidance.

Marta

Hello @Marta_Bondyra,
your advice is perfect, I have created 4 filters, used Vertical Bar Chart and now my chart looks like I wanted. Thanks for help and have a nice day.

1 Like

Hello @Marta_Bondyra,
recently you have helped me very much. I need another advice, I tried many combinations but all failed.
I have logs from winlogbeat, they look like these

Time						message						winlog.user.name	winlog.user_data.Param8
Oct 13, 2020 @ 13:22:23.686	Document 30, Print Document userA				6
Oct 13, 2020 @ 13:10:16.047	Document 29, Print Document userB				1
Oct 13, 2020 @ 13:04:21.049	Document 28, Print Document userC				2
Oct 13, 2020 @ 12:56:23.686	Document 27, Print Document userB				2
Oct 13, 2020 @ 12:54:18.047	Document 26, Print Document userB				1
Oct 13, 2020 @ 12:50:24.049	Document 25, Print Document userC				1

I'd like to get such chart as below

kibana10

Is't possible do something like this in Kibana?

Hi @zen.xen,

you have 2 options here - you can either create a lens visualisation with the following setup:


If you know at the beginning how many more or less users you have, remember to slide up the slider clicking on the X-axis 'Top values of user' button.
image

Second option (this is the option when you don't want to get top values of the field 'winlog.user.name' but only some specific values (like you want to ignore userD which happens to have the most entries and only display values from users A, B and C) is to create filters aggregation vizualization again, just like in the example in my previous answer (count on Y-axis and filters in X-axis )

Hi @Marta_Bondyra,
I don't use lens to create visualization, I don't have x-pack because I use Bitnami ELK stack, I only use Buckets with proper filters like in your previous post.

@zen.xen instead of filters, you can also use 'terms' aggregation on vertical bar which is equivalent of Lens - it will give top (x) values of a field 'user'.

after your suggestion I did sth like this

but chart shows how many printouts were done by user not how many pages were printed

kibana12

Not sure what's the structure of your data, but if you have a field, eg. pages_printed, instead of Aggregation of 'Count' on Y-axis, use aggregation sum of a field you want to sum, so in my example case pages_printed.

Hello,
my structure looks like below

Time, 
message, 
winlog.user.name = user name
winlog.user_data.Param8 = printed pages

So your visualization configuration should like this one:

Hello @Marta_Bondyra,
it doesn't work but now I know why. Let me explain, in your example there is one thing, in the Y-axis > field there appeared winlog.user_data.Param8, I got flash of insight, I have checked how winlogbeat treats that field, in my case this field is STRING type. In Windows there is an Event ID=307 in Microsoft-Windows-PrintService/Operational and this looks sth like this

Document 128, Print Document owned by xxx was printed ...... . Pages printed: 2. No user action is required.

So, I can't sum how many pages were printed by user.
Maybe you know, is it possible to convert string to number in winlogbeat?

@zen.xen,

it would be the easiest if you could ingest the data as number, but the workaround would be to create scripted field and then use scripted field with a script like that:

if (doc['winlog.user_data.Param8'].empty) { 
    return "0" 
} else { 
    return Double.parseDouble(doc['winlog.user_data.Param8'].value); 
}

To learn more you can look here: https://www.jtouzi.net/asides/convert-a-field-from-string-to-number-using-painless-in-kibana-elasticsearch/

about scripted fields: https://www.pixelite.co.nz/article/how-to-create-scripted-fields-in-kibana/

@Marta_Bondyra,
fantastic, it works!!! Now I have what I wanted.
thank you very much

1 Like

Great, I am happy I could help you!

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.