Adding a Sankey Diagram Widget

Owned by Omry Koschitzky
Last updated: Jun 23, 2022 by Noga Aviram (Unlicensed)
3 min read

The Sankey diagram is a flow diagram in which the width of the arrows is proportional to the flow rate. It displays a flow of events with a visual representation of their movement and number of occurrences.
The search query behind a Sankey is a complex search which uses a simple count/group by objects.

To add a Sankey widget:

  1. In Title, type a name for the widget.
  2. In Search Query, enter a search query that uses count and group by. Ensure the result returns a combination of up to 5 'grouped by' items and their count - you may test your search in the search console prior to defining the Sankey.
  3. In Time Range, select the time frame following which the widget display is to be refreshed.
  4. More Settings:
    1. SANKEY COLOR THEME
      1. Monochrome for all columns - displays a view where all the columns are coloured the same (across the items flow).
      2. Use separate color per column - displays a view where each column is coloured differently.

    2. CREATE HIGHLIGHTED FILTERS

      A filter based on a search that helps highlighting specific items/flows - numbers thresholds, specific values, etc. 
  5. Click the Save button.
    The widget is saved in the dashboard.

Example: errors in an environment -  the following Sankey shows number of errors found in logs in a flow diagram: SOURCE LOG >> APPTAG >> SOURCE SERVER (using the query: error | count | group by ext.log,ext.app, ext.server | order by count desc) where specific flows are highlighted in red and others in orange


Example: Errors flow in an environment -  the following Sankey shows top errors found in logs (identified by XpoLog Analytics) in a flow diagram: ERROR >> RISK LEVEL >> SOURCE LOG >> SOURCE SERVER (using the query: * | analytics | group by Ext.log, Ext.server | display only analytics name , analytics risk in query format ("1 or 2 or 3","LOW RISK","4 or 5 or 6","MEDIUM RISK","7 or 8 or 9 or 10","HIGH RISK"), Ext.log as Log, Ext.server as Server, count | where analytics name != NULL | order by count desc)


Example: IP flow in access log -  the following Sankey shows top 50 IP addresses flow: IP >> VISITED URL >> HTTP STATUS CODE (using the query: IP != NULL AND  URL != NULL AND STATUS_CODE != NULL in log.access | count | group by IP, URL, STATUS _CODE | order by count desc | first 50)