Vega-lite group count - Kibana 6.6

Elastic Stack Kibana
1

Hi,

I'm new to vega and trying to show the group count of sourceaddress when you hover over the graph item. The sourceaddress is a string. I've tried various ways but the below only shows zero.

Any help would be much appreciated

Martin

{
  "$schema": "https://vega.github.io/schema/vega-lite/v2.4.json",
  data: {
    url: {
      %context%: true
      %timefield%: @timestamp
      index: "acsc-main-controls-*"
      body: {
        size: 1000
        _source: ["@timestamp", "sourceaddress", "control", "controlcategory", "eventid", "acsctype"]
      }
    }
    format: {property: "hits.hits"}
  }
  "width": 600,
  "height": 400,
  "transform": [
    {
     "summarize": [
        {
        "aggregate": "count",
        "as": "xcount"
        }
      ],
      "groupby": ["_source.sourceaddress"]
    },
    {
    calculate: "toDate(datum._source['@timestamp'])" as: "time"
    }
  ],
  "mark": {
    "type": "circle",
    "opacity": 0.8,
    "stroke": "black",
    "strokeWidth": 0
  },
  "encoding": {
    "x": {
      "field": "time",
      "type": "temporal",
      "axis": {"labelAngle": 0}
    },
    "y": {"field": "_source.control", "type": "nominal", "axis": {"title": ""}},
    "tooltip": [
      {"title": "Control Category", "type": "nominal", "field": "_source.controlcategory"},
           {"title": "Control", "type": "nominal", "field": "_source.control"},
      {"title": "Source Address", "type": "nominal", "field": "_source.sourceaddress"}, {"title": "Count", "type": "quantitative", "field": "xcount"}
    ],  
    "size": {
      "field": "_source.sourceaddress",
      "type": "nominal",
      "legend": {"title": "Source Address", "clipHeight": 30},
      "scale": {"range": [0, 1000]}
    },
    "color": {"field": "_source.control", "type": "nominal", "legend": null
    }
  }
   "selection": {
    "selector015": {
      "type": "interval",
      "bind": "scales",
      "encodings": ["x", "y"],
      "on": "[mousedown, window:mouseup] > window:mousemove!",
      "translate": "[mousedown, window:mouseup] > window:mousemove!",
      "zoom": "wheel!",
      "mark": {"fill": "#333", "fillOpacity": 0.125, "stroke": "white"},
      "resolve": "global"
     }
   },
}
2

@nyuriks help please?

Thanks,
Bhavya

3

Hi @martb, could you post what you already have with these instructions? It would make it easier to figure out what kind of data you have - https://gist.github.com/nyurik/736c34970ba3c32f3fe3d45d66719b3e
Thanks!

4

Hi,

If I paste the below into a vega editor I'll see the relevant details when I hover over the data i.e no. of records, but you don't see such tooltip info in Kibana. Is this a limitation of the version of vega used by Kibana? I'm trying to show the record count when I hover over the data.

Regards

Martin

{
  "$schema": "https://vega.github.io/schema/vega-lite/v2.4.json",
  "data": {
    "values": [
      {
        "@timestamp": "2019-02-13T11:15:01Z",
        "control": "Firewall",
        "controlcategory": "Monitoring",
        "platformtype": "Device",
        "eventid": 489,
        "sourceaddress": "192.168.121.74",
        "outcome": "Rejected",
        "platformaddress": "192.168.10.6",
        "transportprotocol": "TCP",
        "@version": "1",
        "destinationport": "42058",
        "acsctype": " 2-7",
        "sourceport": "47750",
        "eventtype": "Packet filtered",
        "outofhours": "false",
        "destinationaddress": "224.0.0.22"
      },
      {
        "@timestamp": "2019-02-13T10:02:36Z",
        "control": "Firewall",
        "controlcategory": "Monitoring",
        "platformtype": "Device",
        "eventid": 350,
        "sourceaddress": "192.168.121.74",
        "outcome": "Rejected",
        "platformaddress": "192.168.10.8",
        "transportprotocol": "TCP",
        "@version": "1",
        "destinationport": "37487",
        "acsctype": "2-7",
        "sourceport": "64262",
        "eventtype": "Packet filtered",
        "outofhours": "false",
        "destinationaddress": "192.168.10.41"
      },
      {
        "@timestamp": "2019-02-13T10:02:36Z",
        "control": "Firewall",
        "controlcategory": "Monitoring",
        "platformtype": "Device",
        "eventid": 351,
        "sourceaddress": "192.168.121.74",
        "outcome": "Rejected",
        "platformaddress": "192.168.10.7",
        "transportprotocol": "TCP",
        "@version": "1",
        "destinationport": "37487",
        "acsctype": "2-7",
        "sourceport": "64262",
        "eventtype": "Packet filtered",
        "outofhours": "false",
        "destinationaddress": "192.168.10.41"
      }
    ]
  },
  "width": 600,
  "height": 400,
  "mark": {
    "type": "circle",
    "opacity": 0.8,
    "stroke": "black",
    "strokeWidth": 1
  },
  "encoding": {
    "x": {
      "field": "@timestamp",
      "type": "temporal",
      "axis": {
        "labelAngle": 0
      }
    },
    "y": {
      "field": "control",
      "type": "nominal"
    },
    "size": {
      "aggregate": "count", 
      "type": "quantitative",
      
      "scale": {
        "range": [
          0,
          1000
        ]
      }
    },
    "color": {
      "field": "controlcategory",
      "type": "nominal"
    }
  }
}
5

@martb if you open the bottom left panel in the Vega editor (compiled Vega), you will see this line:

"tooltip": {
   "signal": "{\"@timestamp\": timeFormat(datum[\"@timestamp\"], '%b %d, %Y'), \"control\": ''+datum[\"control\"], \"Count of Records\": format(datum[\"count_*\"], \"\"), \"controlcategory\": ''+datum[\"controlcategory\"]}"
},

In other words, Vega Lite generates a tooltip instruction for Vega. If you follow my gist instructions above, you will be able to see the compiled Vega as generated by Kibana's version of Vega-Lite. Take a look if it has tooltip. If it doesn't, this must have been added to Vega-Lite in a newer version. Kibana 7.x will have an updated version of Vega and Vega-Lite.

1 Like
6

Hi.

Thanks for reply. This feature doesn't appear to be in the current release i.e 6.6. I will look to see if there is any difference in the 7.x beta.

thanks

Martin

7

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.