Working with Charts

Overview of Charts

Chart enables a user to create graphical representation of the data in NetForest indices. A user can then build dashboards that display related charts. NetForest charts are based on NetForest queries. By using a series of NetForest aggregations to extract and process data, user can create charts that displays trends, spikes, and dips. User can create charts from a saved search or start with a new search query.

On clicking the Charts menu at the left-pane, following window is displayed:

For creation of a particular chart type, user needs to select it from the list and proceed further. The detailed description of chart types is provided in the subsequent sections. From this window, user can create a new chart from the available chart types (at the left pane) or can open an existing chart (at the right pane).

Layout of Charts

The layout of chart contains selection of metrics and buckets at the left panel and chart generation at the right panel. The details of each field are described in the subsequent section.

There is a check box at the top i.e. show logs. On clicking this check box, the logs are displayed in the same window below the chart.

Creating a Chart

To create a chart, follow the below mentioned steps:

Click Charts on the left menu,
Select the chart type.

Chart Type	Description
Area Chart	Displays graphically quantitative data. It is based on the line chart. The area between axis and line are commonly emphasized with colors, textures, and hatchings.
Data table	Display the raw data of a composed aggregation.
Gauge	Gauge charts, also known as dial charts or speedometer charts, use needles to show information as a reading on a dial. On a gauge chart, the value for each needle is read against the colored data range or chart axis.
Line chart	Compare different series.
Markdown widget	Display free-form information or instructions.
Metric	Display a single number.
Pie chart	Display each source’s contribution to a total.
Tile map	Associate the results of aggregation with geographic locations.
Timeseries	Compute and combine data from multiple time series data sets.
Vertical bar chart	Graph values in a bar chart.

Specify a search query to retrieve the data for chart:
- To enter new search criteria, select the index pattern for the indices that contain the data. This opens the visualization builder with a wildcard query that matches all the documents in the selected indices.

On creating charts from a saved search, any subsequent modifications to the saved search are reflected in the charts automatically. To disable automatic updates, user can disconnect a chart from the saved search.

To build a chart from a saved search, click the name of the saved search. This displays the visualization builder and loads the selected query.

In the chart builder, select the metric aggregation for the chart’s Y axis:
- Count
- Count/sec
- average
- sum
- min
- max
- unique count
- median (50th percentile)
- percentiles
- percentile ranks
For the chart’s X axis, select a bucket aggregation:
- date histogram
- range
- terms
- filters
- significant terms

Types of Charts

There are the following types of charts in NetForest:

Area Charts: This chart’s Y axis is the metrics axis. The following aggregations are available for this axis:

Count: The count aggregation returns a raw count of the elements in the selected index pattern.
Average: This aggregation returns the average of a numeric Select a field from the drop-down.
Sum: The sum aggregation returns the total sum of a numeric field. Select a field from the drop-down.
Min: The min aggregation returns the minimum value of a numeric field. Select a field from the drop-down.
Max: The max aggregation returns the maximum value of a numeric field. Select a field from the drop-down.
Unique Count: The cardinality aggregation returns the number of unique values in a field. Select a field from the drop-down.
Percentiles: The percentile aggregation divides the specified values (in a numeric field) into percentile bands. Select a field from the drop-down, then specify one or more ranges in the Percentiles Click the X to remove a percentile field. Click + Add to add a percentile field.
Percentile Rank: The percentile ranks aggregation returns the percentile rankings for the specified values in the numeric field. Select a numeric field from the drop-down, then specify one or more percentile rank values in the Values Click the X to remove a values field. Click +Add to add a values field.

User can add an aggregation by clicking the + Add Metrics button. The X axis of this chart is the buckets axis. User can define buckets for the X axis, for a split area on the chart, or split charts.

This chart’s X axis supports the following aggregations.

Date Histogram: A date histogram is built from a numeric field and organized by date. User can specify a time frame for the intervals in seconds, minutes, hours, days, weeks, months, or years. User can also specify a custom interval frame by selecting Custom as the interval and specifying a number and a time unit in the text field. Custom interval time units are s for seconds, m for minutes, h for hours, d for days, w for weeks, and y for years. Different units support different levels of precision, down to one second.
Histogram: A standard histogram is built from a numeric field. Specify an integer interval for this field. Select the Show empty buckets checkbox to include empty intervals in the histogram.
Range: With a range aggregation, user can specify ranges of values for a numeric field. Click Add Range to add a set of range endpoints. Click the red (x) symbol to remove a range.
Date Range: A date range aggregation reports values that are within a range of specified dates. User can specify the ranges for the dates using date math expressions. Click Add Range to add a set of range endpoints. Click the red (x) symbol to remove a range.
IPv4 Range: The IPv4 range aggregation enables the user to specify ranges of IPv4 addresses. Click Add Range to add a set of range endpoints. Click the red (x) symbol to remove a range.
Terms: A terms aggregation enables the user to specify the top or bottom n elements of a given field to display, ordered by count or a custom metric.
Filters: User can specify a set of filters for the data as a query string or in JSON format, just as in the Discover search bar. Click Add Filter to add another filter. Click the label button to open the label field, where user can type in a name to display on the chart.
Significant Terms: Displays the results of the experimental significant terms aggregation.

Once X-axis aggregation is specified, the user can define sub-aggregations to refine the chart. Click + Add Sub Aggregation to define a sub-aggregation, then select Split Area or Split Chart, then select a sub-aggregation from the list of types.

When multiple aggregations are defined on a chart’s axis, user can use the up or down arrows to the right of the aggregation’s type to change the aggregation’s priority.

Enter a string in the Custom Label field to change the display label. For example, a chart of dates with incident counts can display dates in chronological order or raise the priority of the incident-reporting aggregation to show the most active dates first. The chronological order might show a time-dependent pattern in the incident count, and sorting by active dates can reveal particular outliers in data.

Users can customize the colors of the charts by clicking the color dot next to each label to display the color picker.

Users can click the Advanced link to display more customization options for the metrics or bucket aggregation:

Exclude Pattern: Specify a pattern in this field to exclude from the results.
Include Pattern: Specify a pattern in this field to include in the results.
JSON Input: A text field where user can add specific JSON-formatted properties to merge with the aggregation definition, as in the following example:

The availability of these options varies depending on the selection of aggregation.

Select the Options tab to change the following aspects of the chart:

Chart Mode: On having multiple Y-axis aggregations defined for chart, use this drop-down to affect how the aggregations display on the chart:

Stacked: Stacks the aggregations on top of each other.
Overlap: The aggregations overlap, with translucency indicating areas of overlap.
Wiggle: Displays the aggregations as a streamgraph.
Percentage: Displays each aggregation as a proportion of the total.
Silhouette: Displays each aggregation as variance from a central line.

Checkboxes are available to enable and disable the following behaviors:

Line Mode: User can select between straight line, smoothed line and stepped line.
Set Y-Axis Extents: Select this check box and enter values in the y-max and y-min fields to set the Y axis to specific values.
Scale Y-Axis to Data Bounds: The default Y axis bounds are zero and the maximum value returned in the data. Select this check box to change both upper and lower bounds to match the values returned in the data.
Order buckets by descending sum: Select this check box to enforce sorting of buckets by descending sum in the chart.
Show Tooltip: Select this check box to enable the display of tooltips.

Data Table

The data table provides a detailed breakdown, in tabular format, of the results of a composed aggregation. A data table is available from many other charts by clicking grey bar at the bottom of the chart.

The bucket type aggregation options are similar to Area charts which have been described earlier. Here, we are describing the options which are available in the Data table, but not in Area chart.

Once bucket type aggregation is specified, the user can define sub-buckets to refine the charts. Click + Add sub-buckets to define a sub-bucket, then select Split Rows or Split Table, then select an aggregation from the list of types.

User can use the up or down arrows to the right of the aggregation’s type to change the aggregation’s priority. Enter a string in the Custom Label field to change the display label. Select the Options tab to change the following aspects of the table:

Gauge

A gauge visualization displays in which predefined range falls your metric.

Metric Aggregations:

Count: The count aggregation returns a raw count of the elements in the selected index pattern.
Average: This aggregation returns the average of a numeric field. Select a field from the drop-down.
Sum: The sum aggregation returns the total sum of a numeric field. Select a field from the drop-down.
Min: The min aggregation returns the minimum value of a numeric field. Select a field from the drop-down.
Max: The max aggregation returns the maximum value of a numeric field. Select a field from the drop-down.
Unique Count: The cardinality aggregation returns the number of unique values in a field. Select a field from the drop-down.
Standard Deviation: The extended stats aggregation returns the standard deviation of data in a numeric field. Select a field from the drop-down.
Percentiles: The percentile aggregation divides the values in a numeric field into percentile bands that you specify. Select a field from the drop-down, then specify one or more ranges in the Percentiles Click the X to remove a percentile field. Click + Add to add a percentile field.
Percentile Rank: The percentile ranks aggregation returns the percentile rankings for the values in the numeric field you specify. Select a numeric field from the drop-down, then specify one or more percentile rank values in the Values Click the X to remove a values field. Click +Add to add a values field.

JSON Input

A text field where you can add specific JSON-formatted properties to merge with the aggregation definition, as in the following example:

{“script”: “doc[‘grade’].value * 1.2” }

Options Tab

The availability of these options varies depending on the aggregation you choose.

Click the Options tab to change the following options:

Gauge label: Denotes the label of the gauge chart.
Gauge Min: Denotes the minimum value of the gauge chart.
Gauge Max: Denotes the maximum value of the gauge chart.
Gauge level: User can create various levels, assign threshold values and color-coding to that level.

Line Chart

This is the best chart for high-density time series. Great chart for comparing one series to another. The bucket type aggregation options are similar to Area charts which has been described earlier. Here, we are describing the options which are available in Line chart, but not in Area chart.

Before selecting a buckets aggregation, specify if splitting slices within a single chart or splitting into multiple charts. A multiple chart split must run before any other aggregations. On splitting a chart, user can change if the splits are displayed in a row or a column by clicking the Rows | Columns selector.

The X axis of this chart is the buckets axis. User can define buckets for the X axis, for a split area on the chart, or for split charts.

Select the Options tab to change the following aspects of the chart:

Y-Axis Scale: User can select linear, log, or square root scales for the chart’s Y axis. User can use a log scale to display data that varies exponentially, such as a compounding interest chart, or a square root scale to regularize the display of data sets with variabilities that are themselves highly variable. This kind of data, where the variability is itself variable over the domain being examined, is known as heteroscedastic data. For example, if a data set of height versus weight has a relatively narrow range of variability at the short end of height, but a wider range at the taller end, the data set is heteroscedastic.
Line Mode: User can select between straight line, smoothed line, and stepped line.
Show Connecting Lines: Select this check box to draw lines between the points on the chart.
Show Circles: Select this check box to draw each data point on the chart as a small circle.
Current time marker: For charts of time-series data, select this check box to draw a red line on the current time.

Set Y-Axis Extents: Select this check box and enter values in the y-max and y-min fields to set the Y axis to specific values.

Show Tooltip: Select the check box to enable the display of tooltips.

Scale Y-Axis to Data Bounds: The default Y-axis bounds are zero and the maximum value returned in the data. Select this check box to change both upper and lower bounds to match the values returned in the data.

Order buckets by descending sum: Select this check box to enforce sorting of buckets by descending sum in the chart.

After changing options, click the Apply changes button to update the charts, or the grey Discard changes button to keep the charts in their current state.

Bubble Charts

User can convert a line chart to a bubble chart by performing the following steps:

Click Add Metrics for the chart’s Y axis, then select Dot Size.
Select a metric aggregation from the drop-down list.
In the Options tab, clear the Show Connecting Lines check box.
Click the Apply changes

Markdown widget

This is useful for displaying explanations or instructions for dashboard. It is a text entry field that accepts GitHub-flavored Markdown text. NetForest renders the entered text in this field and displays the results on the dashboard. User can click the Help link to go to the help page for GitHub flavored Markdown. Click Apply to display the rendered text in the Preview pane or Discard to revert to a previous version.

Tile Maps

A tile map displays a geographic area overlaid with circles keyed to the data determined by the specified buckets. The aggregation options are similar with Area chart. The buckets aggregations determine what information is being retrieved from the data set.

Before selecting a buckets aggregation, specify if splitting the chart is needed or displaying the buckets as Geo Coordinates on a single chart. A multiple chart split must run before any other aggregations.

Tile maps use the Geohash aggregation as their initial aggregation. Select a field, typically coordinates, from the drop-down. The Precision slider determines the granularity of the results displayed on the map.

Select the Options tab to change the following aspects of the chart:

Map type: Select one of the following options from the drop-down.

Scaled Circle Markers: Scale the size of the markers based on the metric aggregation’s value.
Shaded Circle Markers: Displays the markers with different shades based on the metric aggregation’s value.
Shaded Geohash Grid: Displays the rectangular cells of the geohash grid instead of circular markers, with different shades based on the metric aggregation’s value.
Heatmap: A heat map applies blurring to the circle markers and applies shading based on the amount of overlap. Heatmaps have the following options:
Radius: Sets the size of the individual heatmap dots.
Blur: Sets the amount of blurring for the heatmap dots.
Maximum zoom: Tilemaps in NetForest support 18 zoom levels. This slider defines the maximum zoom level at which the heatmap dots appear at full intensity.
Minimum opacity: Sets the opacity cutoff for the dots.
Show Tooltip: Select this check box to have a tooltip with the values for a given dot when the cursor is on that dot.

Desaturate map tiles: Desaturate the map’s color in order to make the markers stand out more clearly.

WMS compliant map server: Select this check box to enable the use of a third-party mapping service that complies with the Web Map Service (WMS) standard. Specify the following elements:

WMS url: The URL for the WMS map service.
WMS layers: A comma-separated list of the layers to use in this chart. Each map server provides its own list of layers.
WMS version: The WMS version used by this map service.
WMS format: The image format used by this map service. The two most common formats are image/png and image/jpeg.
WMS attribution: An optional, user-defined string that identifies the map source. Maps display the attribution string in the lower right corner.
WMS styles: A comma-separated list of the styles to use in this chart. Each map server provides its own styling options.

After changing options, click the Apply changes button to update the chart, or the grey Discard changes button to keep the charts in their current state.

Navigating the Map

Once the tilemap chart is ready, the user can explore the map in several ways:

Click and hold anywhere on the map and move the cursor to move the map center. Hold Shift and drag a bounding box across the map to zoom in on the selection.
Click the Zoom In/Out buttons to change the zoom level manually.
Click the Fit Data Bounds button to automatically crop the map boundaries to the geohash buckets that have at least one result.
Click the Latitude/Longitude Filter button, then drag a bounding box across the map, to create a filter for the box coordinates.

Vertical Bar Charts

This chart’s Y axis is the metrics axis. The aggregation options are similar with Area chart.

Select the Options to change the following aspects of the table:

Bar Mode: On having multiple Y-axis aggregations defined for the chart, user can use this drop-down to affect how the aggregations display on the chart:

Stacked: Stacks the aggregations on top of each other.
Percentage: Displays each aggregation as a proportion of the total.
Grouped: Groups the results horizontally by the lowest-priority sub-aggregation.

Checkboxes are available to enable and disable the following behaviors:

Show Tooltip: Select this check box to enable the display of tooltips.
Scale Y-Axis to Data Bounds: The default Y axis bounds are zero and the maximum value returned in the data. Select this check box to change both upper and lower bounds to match the values returned in the data.
Order buckets by descending sum: Select this check box to enforce sorting of buckets by descending sum in the chart.

Setting Criteria in Charts

User can set different criteria (categorized with different colors) for the resultant values in the charts. Below is an illustration for the same.

For this, user first needs to select the Criteria check box and then specify the criteria for various values.