How to display a table in Vega-Lite tooltip?

jhackert · February 9, 2022, 12:53pm

Hi folks, I'm looking for a way to show the content of an array-type field in a tooltip as a table with Vega-Lite.

The data that shall be shown in the tooltip is in aggregations->clients->buckets->topn_domains->buckets.

     "aggregations": {
        "clients": {
          "doc_count_error_upper_bound": 126327,
          "sum_other_doc_count": 69324914,
          "buckets": [
            {
              "key": "10.112.192.25",
              "doc_count": 930552,
              "topn_domains": {
                "doc_count_error_upper_bound": 4212,
                "sum_other_doc_count": 702340,
                "buckets": [
                  {
                    "key": "DE30130PT00001.DE30130p.vw-group.com",
                    "doc_count": 31821
                  },
                  {
                    "key": "TFAOIPSRV2008.de469310.vw-group.com",
                    "doc_count": 30539
                  },
                  {
                    "key": "intranator.DE516080.vw-group.com",
                    "doc_count": 24706
                  },
                  {
                    "key": "DE246810sa0001.DE246810.vw-group.com",
                    "doc_count": 23734
                  },
                  {
                    "key": "kaspersky.de392500.vw-group.com",
                    "doc_count": 20333
                  },
                  {
                    "key": "de469310c00019.de469310.vw-group.com",
                    "doc_count": 19530
                  },
                  {
                    "key": "de469310t00058.de469310.vw-group.com",
                    "doc_count": 19512
                  },
                  {
                    "key": "de469310o00153.de469310.vw-group.com",
                    "doc_count": 19409
                  },
                  {
                    "key": "de201250s00010.de201250.vw-group.com",
                    "doc_count": 19330
                  },
                  {
                    "key": "de469310c00441.de469310.vw-group.com",
                    "doc_count": 19298
                  }
                ]
              },
              "unique_queries": {
                "value": 143352
              },
              "query_ratio": {
                "value": 15.405049905862327
              }
            },

It's about analyzing DNS logs. The visualization should show the Top10 DNS clients and their ratio between unique and overall queries in the chart and additionally the number of their queries, the number of their unique domain queries, the ratio between their unique/overall queries and a Top10 domain list they queried in the tooltip. This is how far I have come

vega test

This is the tooltip section

		"tooltip": [
			{ "field": "topn_client_queries", "type": "quantitative", "title": "Queries" },
			{ "field": "topn_client_queries_unique", "type": "quantitative", "title": "Unique Queries" },
			{ "field": "topn_client_queries_ratio", "type": "quantitative", "format": ".1f", "title": "Query Ratio" },
			{ "field": "c.topn_domains.buckets", "type": "nominal", "title": "Top10 domains" }
		]

And here is a link to the spec

Vega-Lite spec

I found no way to encode the buckets from aggregations->clients->buckets->topn_domains->buckets in a reasonably way as a table in the tooltip. I also tried to flatten these buckets, assemble strings from key and doc_count but then I stumbled on how to output these 10 new strings at one time in the tooltip.

Maybe it's totally easy but I just don't see it Do you have a hint on how to handle this?

system · March 9, 2022, 12:53pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.