Kibana Scatter Plot Graph - Lines in the middle

Hi All,
I'm trying to draw 2 black lines in a cross manner right in the middle of the graph. Any suggestions? I'll post a snap and the code below.

{
  "$schema": "https://vega.github.io/schema/vega-lite/v5.json",
  "description": "A scatterplot showing...",
  "data": {
    "values": [
      {
        "duration": 0,
        "protocol_type": "tcp",
        "timestamp": "2018-12-01 10:55.755623",
        "source_ip": "1.10.252.196",
        "source_host": "hacker_17",
        "destination_ip": "172.31.65.89",
        "destination_host": "printer_17",
        "flow_bytes/s": 5006827.492,
        "flow_byte_mb": "5.01mb:",
        "class": "neptune",
        "severity": "high",
        "flow_packets": 11379.15339,
        "service": 0,
        "flag": "rej",
        "threat": 91,
        "certainty": 48
      },
      {
        "duration": 898,
        "protocol_type": "tcp",
        "timestamp": "2018-12-01 11:02:52.858157",
        "source_ip": "1.10.252.196",
        "source_host": "hacker_17",
        "destination_ip": "172.31.65.89",
        "destination_host": "printer_17",
        "flow_bytes/s": 2674.703056,
        "flow_byte_mb": "2.67kb",
        "class": "apache_2",
        "severity": "low",
        "flow_packets": 27.63122992,
        "service": "http",
        "flag": "rstr",
        "threat": 15,
        "certainty": 14
      },
      {
        "duration": 0,
        "protocol_type": "udp",
        "timestamp": "2018-12-01 10:51.852499.",
        "source_ip": "1.165.16.250",
        "source_host": "hacker_18",
        "destination_ip": "172.31.67.67",
        "destination_host": "smart_phone_120",
        "flow_bytes/s": 82274.24749,
        "flow_byte_mb": "82.27kb",
        "class": "snmpgetattack",
        "severity": "low",
        "flow_packets": 2675.585284,
        "service": "private",
        "flag": "sf",
        "threat": 32,
        "certainty": 31
      },
      {
        "duration": 0,
        "protocol_type": "tcp",
        "timestamp": "2018-12-01 11:02.890213",
        "source_ip": "1.165.16.250",
        "source_host": "hacker_18",
        "destination_ip": "172.31.67.67",
        "destination_host": "smart_phone_120",
        "flow_bytes/s": 284211.726,
        "flow_byte_mb": "284.21kb",
        "class": "normal",
        "severity": "medium",
        "flow_packets": 651.2642668,
        "service": "http",
        "flag": "sf",
        "threat": 52,
        "certainty": 51
      },
      {
        "duration": 0,
        "protocol_type": "udp",
        "timestamp": "2018-12-01 10:52.941151",
        "source_ip": "1.170.218.162",
        "source_host": "hacker_18",
        "destination_ip": "172.31.65.8",
        "destination_host": "printer_14",
        "flow_bytes/s": 1349382.811,
        "flow_byte_mb": "1.35mb",
        "class": "normal",
        "severity": "critical",
        "flow_packets": 3066.779115,
        "service": "private",
        "flag": "sf",
        "threat": 85,
        "certainty": 67
      },
      {
        "duration": 0,
        "protocol_type": "tcp",
        "timestamp": "2018-12-01 10:59.942030",
        "source_ip": "1.170.218.162",
        "source_host": "hacker_18",
        "destination_ip": "172.31.65.8",
        "destination_host": "printer_14",
        "flow_bytes/s": 2627179.365,
        "flow_byte_mb": "2.63mb",
        "class": "normal",
        "severity": "high",
        "flow_packets": 5970.862193,
        "service": "http",
        "flag": "sf",
        "threat": 0,
        "certainty": 1
      },
      {
        "duration": 0,
        "protocol_type": "tcp",
        "timestamp": "2018-12-01 10:53.569712",
        "source_ip": "1.55.176.28",
        "source_host": "hacker_19",
        "destination_ip": "172.31.69.11",
        "destination_host": "smart_phone_144",
        "flow_bytes/s": 981333333.3,
        "flow_byte_mb": "981.33mb",
        "class": "neptune",
        "severity": "critical",
        "flow_packets": 666666.6667,
        "service": "ftp_data",
        "flag": "sf",
        "threat": 98,
        "certainty": 97
      },
      {
        "duration": 4,
        "protocol_type": "tcp",
        "timestamp": "2018-12-01 10:59.778963",
        "source_ip": "1.55.176.28",
        "source_host": "hacker_19",
        "destination_ip": "172.31.69.11",
        "destination_host": "smart_phone_144",
        "flow_bytes/s": 2588681.931,
        "flow_byte_mb": "2.59mb",
        "class": "guess_passwd",
        "severity": "medium",
        "flow_packets": 5931.901768,
        "service": "pop_3",
        "flag": "sf",
        "threat": 43,
        "certainty": 42
      },
      {
        "duration": 0,
        "protocol_type": "tcp",
        "timestamp": "2018-12-01 10:53.986321",
        "source_ip": "101.96.116.77",
        "source_host": "hacker_1",
        "destination_ip": "172.31.64.79",
        "destination_host": "fax_1",
        "flow_bytes/s": 1472000000,
        "flow_byte_mb": "1472.00mb",
        "class": "guess_passwd",
        "severity": "critical",
        "flow_packets": 1000000,
        "service": "telnet",
        "flag": "sf",
        "threat": 98,
        "certainty": 99
      },
      {
        "duration": 0,
        "protocol_type": "tcp",
        "timestamp": "2018-12-01 10:53.112587",
        "source_ip": "101.96.116.77",
        "source_host": "hacker_1",
        "destination_ip": "172.31.65.90",
        "destination_host": "fax_1",
        "flow_bytes/s": 2946198.4,
        "flow_byte_mb": "2.95mb",
        "class": "warezmaster",
        "severity": "medium",
        "flow_packets": 6695.905454,
        "service": "ftp_data",
        "flag": "sf",
        "threat": 40,
        "certainty": 39
      },
      {
        "duration": 0,
        "protocol_type": "tcp",
        "timestamp": "2018-12-01 10:55.740325",
        "source_ip": "101.96.116.77",
        "source_host": "hacker_1",
        "destination_ip": "172.31.68.20",
        "destination_host": "phone_4",
        "flow_bytes/s": 3677699.766,
        "flow_byte_mb": "3.68mb",
        "class": "neptune",
        "severity": "low",
        "flow_packets": 8358.408559,
        "service": "uucp",
        "flag": "s0",
        "threat": 8,
        "certainty": 7
      },
      {
        "duration": 10,
        "protocol_type": "tcp",
        "timestamp": "2018-12-01 10:55.378945",
        "source_ip": "101.96.116.77",
        "source_host": "hacker_1",
        "destination_ip": "172.31.65.69",
        "destination_host": "phone_4",
        "flow_bytes/s": 410040.3983,
        "flow_byte_mb": "410.04kb",
        "class": "guess_passwd",
        "severity": "critical",
        "flow_packets": 931.9099961,
        "service": "pop_3",
        "flag": "sf",
        "threat": 75,
        "certainty": 74
      },
      {
        "duration": 0,
        "protocol_type": "tcp",
        "timestamp": "2018-12-01 10:57.123456",
        "source_ip": "101.96.116.77",
        "source_host": "hacker_1",
        "destination_ip": "172.31.64.69",
        "destination_host": "printer_8",
        "flow_bytes/s": 484420.4509,
        "flow_byte_mb": "484.42kb",
        "class": "normal",
        "severity": "critical",
        "flow_packets": 1105.112734,
        "service": "http",
        "flag": "sf",
        "threat": 61,
        "certainty": 83
      },
      {
        "duration": 0,
        "protocol_type": "tcp",
        "timestamp": "2018-12-01 10:57.189042",
        "source_ip": "101.96.116.77",
        "source_host": "hacker_1",
        "destination_ip": "172.31.66.28",
        "destination_host": "printer_8",
        "flow_bytes/s": 21111324.376,
        "flow_byte_mb": "2.11mb",
        "class": "smurf",
        "severity": "critical",
        "flow_packets": 4798.464491,
        "service": "http",
        "flag": "sf",
        "threat": 65,
        "certainty": 38
      },
      {
        "duration": 0,
        "protocol_type": "tcp",
        "timestamp": "2018-12-01 10:56.984301",
        "source_ip": "101.99.59.70",
        "source_host": "hacker_20",
        "destination_ip": "172.31.64.19",
        "destination_host": "email_server",
        "flow_bytes/s": 243458.8314,
        "flow_byte_mb": "243.46kb",
        "class": "neptune",
        "severity": "medium",
        "flow_packets": 555.4048231,
        "service": "http",
        "flag": "sf",
        "threat": 33,
        "certainty": 12
      },
      {
        "duration": 0,
        "protocol_type": "tcp",
        "timestamp": "2018-12-01 10:52.874563",
        "source_ip": "103.46.12.151",
        "source_host": "hacker_2",
        "destination_ip": "172.31.64.119",
        "destination_host": "asus_access_point_1",
        "flow_bytes/s": 1112572.064,
        "flow_byte_mb": "1.11mb",
        "class": "satan",
        "severity": "high",
        "flow_packets": 2528.572873,
        "service": "rej",
        "flag": "rej",
        "threat": 99,
        "certainty": 32
      },
      {
        "duration": 0,
        "protocol_type": "icmp",
        "timestamp": "2018-12-01 10:53.102584",
        "source_ip": "103.70.130.74",
        "source_host": "hacker_3",
        "destination_ip": "172.31.65.9",
        "destination_host": "cisco_router_3",
        "flow_bytes/s": 0,
        "flow_byte_mb": "0",
        "class": "ipsweep",
        "severity": "critical",
        "flow_packets": 19607.84314,
        "service": "eco_i",
        "flag": "sf",
        "threat": 88,
        "certainty": 122
      },
      {
        "duration": 1,
        "protocol_type": "tcp",
        "timestamp": "2018-12-1 10:57.649701",
        "source_ip": "103.94.120.3",
        "source_host": "hacker_22",
        "destination_ip": "172.31.64.61",
        "destination_host": "desktop_30",
        "flow_bytes/s": 43820.2953,
        "flow_byte_mb": "483.82kb",
        "class": "mailbomb",
        "severity": "high",
        "flow_packets": 628.3380459,
        "service": "smtp",
        "flag": "sf",
        "threat": 70,
        "certainty": 82
      },
      {
        "duration": 805,
        "protocol_type": "tcp",
        "timestamp": "2018-12-01 11:02.978546",
        "source_ip": "104.16.24.92",
        "source_host": "hacker_4",
        "destination_ip": "192.168.10.25",
        "destination_host": "palo_alto_firewall",
        "flow_bytes/s": 2414536.323,
        "flow_byte_mb": "2.41mb",
        "class": "apache2",
        "severity": "low",
        "flow_packets": 5510.410491,
        "service": "http",
        "flag": "rstr",
        "threat": 22,
        "certainty": 62
      },
      {
        "duration": 7695,
        "protocol_type": "tcp",
        "timestamp": "2018-12-01 10:57.369636",
        "source_ip": "104.20.117.11",
        "source_host": "hacker_29",
        "destination_ip": "172.31.68.23",
        "destination_host": "smart_phone_137",
        "flow_bytes/s": 3318796.405,
        "flow_byte_mb": "3.32mb",
        "class": "processtable",
        "severity": "high",
        "flow_packets": 7581.086362,
        "service": "high",
        "flag": "sf",
        "threat": 58,
        "certainty": 24
      }
    ]
  },
  "width": 1000,
  "height": 600,
  "layer": [
    {
      "mark": {
        "type": "circle",
        "opacity": 1,
        "tooltip": {
          "content": "data"
        },
        "size": 100
      },
      "encoding": {
        "x": {
          "field": "certainty",
          "type": "quantitative",
          "scale": {"domain": [0, 100]},
          "axis": {"tickCount": 10, "title": "certainty"}
        },
        "y": {
          "field": "threat",
          "type": "quantitative",
          "scale": {"domain": [0, 100]},
          "axis": {"tickCount": 10, "title": "threat"}
        },
        "color": {
          "field": "severity",
          "title": "severity"
        }
      }
    },
    {
      "mark": "rule",
      "encoding": {
        "x": {
          "field": "certainty",
          "type": "quantitative",
          "aggregate": "mean"
        },
        "y": {
          "field": "threat",
          "type": "quantitative",
          "aggregate": "mean"
        }
      }
    }
  ]
}

Hey @momo1104

You could separate the rule marks into their own layer. The difficulty with this is determining a pixel length/height for each line to get say a 20px x 20 px cross with the origin at the mean/mean coordinate. See example here as shown below.

Another approach would be to use a point mark instead, with a simple svg cross path scaled to whatever pixel value you want. The layer would look something like this...

{
  "mark": {
    "type": "point",
    "shape": "M -1 0 L 1 0 M 0 1 L 0 -1",
    "strokeWidth": 1,
    "size": 10000,
    "color": "red"
  },
  "encoding": {
    "x": {
      "field": "certainty",
      "type": "quantitative",
      "aggregate": "mean"
    },
    "y": {
      "field": "threat",
      "type": "quantitative",
      "aggregate": "mean"
    }
  }
}

And the chart would look like this...

See the full example here.

hooray! Thanks @nickofthyme

1 Like