Clustered Line Chart¶

The Clustered Line chart is an extension of the Line Chart in which multiple lines are used to represent values of different categories. Silimar to the Clustered Column Chart, in a Clustered Line chart the x-axis contains the values of the grouping parameters, and the y-axis contains the scale to measure the value of an aggregation parameter of the particular grouping parameter.

The following query gives the output shown above.

| chart count(), avg(sig_id) by action

Response Types Supported¶

The Clustered Line chart supports three aggregation response types for representation of search results in the visualization. They are:

Response Type	General Syntax
Multiple Aggregation with Grouping	\| chart aggregation_parameter1, aggregation_parameter2 by grouping_parameter1, grouping_parameter2, ...,grouping_parametern
Timechart Single Aggregation with Grouping	\| timechart aggregation_parameter by grouping_parameter1, grouping_parameter2, ....., grouping_parametern
Timechart Multiple Aggregation without Grouping	\| timechart aggregation_parameter1, aggregation_parameter2, .... aggregation_parametern

Response Type

General Syntax

Multiple Aggregation with Grouping

| chart aggregation_parameter1, aggregation_parameter2 by grouping_parameter1, grouping_parameter2, ...,grouping_parametern

Timechart Single Aggregation with Grouping

| timechart aggregation_parameter by grouping_parameter1, grouping_parameter2, ....., grouping_parametern

Timechart Multiple Aggregation without Grouping

| timechart aggregation_parameter1, aggregation_parameter2, .... aggregation_parametern

Multiple Aggregation with Grouping¶

Example:

sent_datasize=* source_address=* | chart max(sent_datasize), max(received_datasize) by source_
address order by max(sent_datasize), max(received_datasize) desc limit 10

../_images/LP_Search_MAWG_ClstredLine.png

Clustered Line chart for Multiple Aggregation with Grouping¶

You can refer to Multiple Aggregation with Grouping for more details.

Timechart Single Aggregation with Grouping¶

In the Timechart Single Aggregation with Grouping, the y-axis represents the aggregation value for every grouping parameter, and the x-axis displays the value of the timestamps. Similarly, the lines represent the values of the grouping parameter(s).

Example:

event_category=* | timechart count() by event_category

../_images/LP_Search_TSAWG_ClstrLine.png

Clustered Line chart for Timechart Single Aggregation with Grouping¶

You can refer to Timechart Single Aggregation with Grouping for more details.

Timechart Multiple Aggregation without Grouping¶

Alike to the Clustered Column chart, the y-axis represents values of the aggregation parameter, and the x-axis displays the value of the timestamps. Similarly, the lines represent the values of the aggregation parameters at a particular timestamp.

Example:

| timechart count("event_category" = "THREAT") as Dangerous, count("event_category" ="TRAFFIC") as Traffic

../_images/LP_Search_TMAWpG_ClstrLine.png

Clustered Line chart - Timechart Multiple Aggregation without Grouping¶

You can refer to Timechart Multiple Aggregation without Grouping for more details.

Helpful?