Visualization on Kibana

A Cyber Security Research Dumpsite

Visualization on Kibana

Following the previous blog on how to manage the Discover page on Kibana. This blog post takes an aim on trying to explain the so in-depth Visualization page on Kibana.

This blog post will be different from the others. This is because the visualization tool in Kibana is so dense and complex that it would be nearly impossible to put it all into one single blog post. Instead, this post will go through each section and if that specific section requires more in-depth explanation, it will be highlighted which symbolizes that there are a lot more to it on the elastic documentation. So, if you are interested definitely click on link to learn more in-depth about each feature.

Creating Visualization

To create a visualization:

  1. Click on Visualize in the side navigation.
  2. Click the Create new visualization button or the + button.

Choose the visualization type:

 Basic charts

Line, Area and Bar charts Compare different series in X/Y charts.
Heat maps Shade cells within a matrix.
Pie chart Display each source’s contribution to a total.

 

Data

Data table Display the raw data of a composed aggregation.
Metric Display a single number.
Goal and Gauge Display a gauge.

 

Maps

Coordinate map Associate the results of an aggregation with geographic locations.
Region map Thematic maps where a shape’s color intensity corresponds to a metric’s value. locations.

 

Time Series

Timelion Compute and combine data from multiple time series data sets.
Time Series Visual Builder Visualize time series data using pipeline aggregations.

 

Other

Controls Controls provide the ability to add interactive inputs to Kibana Dashboards.
Markdown widget Display free-form information or instructions.
Tag cloud Display words as a cloud in which the size of the word correspond to its importance.
Vega graph Support for user-defined graphs, external data sources, images, and user-defined interactivity.

Specify a search query to retrieve the data for your visualization:

  • To enter new search criteria, select the index pattern for the indices that contain the data you want to visualize. This opens the visualization builder with a wildcard query that matches all of the documents in the selected indices.
  • To build a visualization from a saved search, click the name of the saved search you want to use. This opens the visualization builder and loads the selected query.

When you build a visualization from a saved search, any subsequent modifications to the saved search are automatically reflected in the visualization. To disable automatic updates, you can disconnect a visualization from the saved search.

In the visualization builder, choose the metric aggregation for the visualization’s Y axis:

  1. For the visualizations X axis, select a bucket aggregation:

For example, if you’re indexing Apache server logs, you could build bar chart that shows the distribution of incoming requests by geographic location by specifying a terms aggregation on the geo.src field:

Visualization

The y-axis shows the number of requests received from each country, and the countries are displayed across the x-axis.

Bar, line, or area chart visualizations use metrics for the y-axis and buckets for the x-axis. Buckets are analogous to SQL GROUP BY statements. Pie charts use the metric for the slice size and the bucket for the number of slices.

You can futher break down the data by specifying sub aggregations. The first aggregation determines the data set for any subsequent aggregations. Sub aggregations are applied in order—you can drag the aggregations to change the order in which they’re applied.

For example, you could add a terms sub aggregation on the geo.dest field to the Country of Origin bar chart to see the locations those requests were targeting.

Visualization

For more information about working with sub aggregations, see Kibana, Aggregation Execution Order, and You.

Visualization Spy

To display the raw data behind the visualization, click the Visualization button in the bottom left corner of the container. The visualization spy panel will open. Use the select input to view detailed information about the raw data.

Visualization

Table. A representation of the underlying data presented as a paginated data grid. You can sort the items in the table by clicking on the table headers at the top of each column.

Request. The raw request used to query the server, presented in JSON format.

Response. The raw response from the server, presented in JSON format.

Statistics. A summary of the statistics related to the request and the response, presented as a data grid. The data grid includes the query duration, the request duration, the total number of records found on the server, and the index pattern used to make the query.

Debug. The visualization saved state presented in JSON format.

To export the raw data behind the visualization as a comma-separated-values (CSV) file, click on either the Raw or Formatted links at the bottom of any of the detailed information tabs. A raw export contains the data as it is stored in Elasticsearch. A formatted export contains the results of any applicable Kibana field formatters.


Hopefully this blog post on visualization has aided you with better tools to create your own visualization. It is a very dense topic so tread slowly to not overload yourself with information. I’d recommend doing it as I do, I visit this documentation whenever I have a question on how to create something, for example; if I don’t know how to create a coordinate map, I will check here on how to do so.

If you have missed the previous post on Kibana, the links are below:

Just landed on this page? Don’t know what Kibana is or how to install it? Check the following link on how to install it: