{"id":9131,"date":"2022-07-12T16:10:56","date_gmt":"2022-07-12T21:10:56","guid":{"rendered":"https:\/\/www.rushworth.us\/lisa\/?p=9131"},"modified":"2022-07-12T16:10:57","modified_gmt":"2022-07-12T21:10:57","slug":"kibana-sankey-visualization","status":"publish","type":"post","link":"https:\/\/www.rushworth.us\/lisa\/?p=9131","title":{"rendered":"Kibana Sankey Visualization"},"content":{"rendered":"\n

Now that we’ve got a lot of data being ingested into our ELK platform, I am beginning to build out visualizations and dashboards. This Vega visualization (source below) shows the number of connections between source and destination countries. <\/p>\n\n\n\n

\"\"<\/a><\/figure>\n\n\n
\n{ \n  $schema: https:\/\/vega.github.io\/schema\/vega\/v3.0.json\n  data: [\n    {\n      \/\/ Respect currently selected time range and filter string\n      name: rawData\n      url: {\n        %context%: true\n        %timefield%: @timestamp\n        index: firewall_logs*\n        body: {\n          size: 0\n          aggs: {\n            table: {\n              composite: {\n                size: 10000\n                sources: [\n                  {\n                    source_country: {\n                     terms: {field: "srccountry.keyword"}\n                    }\n                  }\n                  {\n                    dest_country: {\n                     terms: {field: "dstcountry.keyword"}\n                    }\n                  }\n                ]\n              }\n            }\n          }\n        }\n      }\n      format: {property: "aggregations.table.buckets"}\n      \/\/ Add aliases for data.* elements\n      transform: [\n        {type: "formula", expr: "datum.key.source_country", as: "source_country"}\n        {type: "formula", expr: "datum.key.dest_country", as: "dest_country"}\n        {type: "formula", expr: "datum.doc_count", as: "size"}\n      ]\n    }\n    {\n      name: nodes\n      source: rawData\n      transform: [\n        \/\/ Filter to selected country\n        {\n          type: filter\n          expr: !groupSelector || groupSelector.source_country == datum.source_country || groupSelector.dest_country == datum.dest_country\n        }\n        {type: "formula", expr: "datum.source_country+datum.dest_country", as: "key"}\n        {\n          type: fold\n          fields: ["source_country", "dest_country"]\n          as: ["stack", "grpId"]\n        }\n        {\n          type: formula\n          expr: datum.stack == 'source_country' ? datum.source_country+' '+datum.dest_country : datum.dest_country+' '+datum.source_country\n          as: sortField\n        }\n        {\n          type: stack\n          groupby: ["stack"]\n          sort: {field: "sortField", order: "descending"}\n          field: size\n        }\n        {type: "formula", expr: "(datum.y0+datum.y1)\/2", as: "yc"}\n      ]\n    }\n    {\n      name: groups\n      source: nodes\n      transform: [\n        \/\/ Aggregate country groups and include number of documents for each grouping\n        {\n          type: aggregate\n          groupby: ["stack", "grpId"]\n          fields: ["size"]\n          ops: ["sum"]\n          as: ["total"]\n        }\n        {\n          type: stack\n          groupby: ["stack"]\n          sort: {field: "grpId", order: "descending"}\n          field: total\n        }\n        {type: "formula", expr: "scale('y', datum.y0)", as: "scaledY0"}\n        {type: "formula", expr: "scale('y', datum.y1)", as: "scaledY1"}\n        {type: "formula", expr: "datum.stack == 'source_country'", as: "rightLabel"}\n        {\n          type: formula\n          expr: datum.total\/domain('y')[1]\n          as: percentage\n        }\n      ]\n    }\n    {\n      name: destinationNodes\n      source: nodes\n      transform: [\n        {type: "filter", expr: "datum.stack == 'dest_country'"}\n      ]\n    }\n    {\n      name: edges\n      source: nodes\n      transform: [\n        {type: "filter", expr: "datum.stack == 'source_country'"}\n        {\n          type: lookup\n          from: destinationNodes\n          key: key\n          fields: ["key"]\n          as: ["target"]\n        }\n        {\n          type: linkpath\n          orient: horizontal\n          shape: diagonal\n          sourceY: {expr: "scale('y', datum.yc)"}\n          sourceX: {expr: "scale('x', 'source_country') + bandwidth('x')"}\n          targetY: {expr: "scale('y', datum.target.yc)"}\n          targetX: {expr: "scale('x', 'dest_country')"}\n        }\n        \/\/ Calculation to determine line thickness\n        {\n          type: formula\n          expr: range('y')[0]-scale('y', datum.size)\n          as: strokeWidth\n        }\n        {\n          type: formula\n          expr: datum.size\/domain('y')[1]\n          as: percentage\n        }\n      ]\n    }\n  ]\n  scales: [\n    {\n      name: x\n      type: band\n      range: width\n      domain: ["source_country", "dest_country"]\n      paddingOuter: 0.05\n      paddingInner: 0.95\n    }\n    {\n      name: y\n      type: linear\n      range: height\n      domain: {data: "nodes", field: "y1"}\n    }\n    {\n      name: color\n      type: ordinal\n      range: category\n      domain: {data: "rawData", fields: ["source_country", "dest_country"]}\n    }\n    {\n      name: stackNames\n      type: ordinal\n      range: ["Source Country", "Destination Country"]\n      domain: ["source_country", "dest_country"]\n    }\n  ]\n  axes: [\n    {\n      orient: bottom\n      scale: x\n      encode: {\n        labels: {\n          update: {\n            text: {scale: "stackNames", field: "value"}\n          }\n        }\n      }\n    }\n    {orient: "left", scale: "y"}\n  ]\n  marks: [\n    {\n      type: path\n      name: edgeMark\n      from: {data: "edges"}\n      clip: true\n      encode: {\n        update: {\n          stroke: [\n            {\n              test: groupSelector && groupSelector.stack=='source_country'\n              scale: color\n              field: dest_country\n            }\n            {scale: "color", field: "source_country"}\n          ]\n          strokeWidth: {field: "strokeWidth"}\n          path: {field: "path"}\n          strokeOpacity: {\n            signal: !groupSelector && (groupHover.source_country == datum.source_country || groupHover.dest_country == datum.dest_country) ? 0.9 : 0.3\n          }\n          zindex: {\n            signal: !groupSelector && (groupHover.source_country == datum.source_country || groupHover.dest_country == datum.dest_country) ? 1 : 0\n          }\n          tooltip: {\n            signal: datum.source_country + ' \u2192 ' + datum.dest_country + '    ' + format(datum.size, ',.0f') + '   (' + format(datum.percentage, '.1%') + ')'\n          }\n        }\n        hover: {\n          strokeOpacity: {value: 1}\n        }\n      }\n    }\n    {\n      type: rect\n      name: groupMark\n      from: {data: "groups"}\n      encode: {\n        enter: {\n          fill: {scale: "color", field: "grpId"}\n          width: {scale: "x", band: 1}\n        }\n        update: {\n          x: {scale: "x", field: "stack"}\n          y: {field: "scaledY0"}\n          y2: {field: "scaledY1"}\n          fillOpacity: {value: 0.6}\n          tooltip: {\n            signal: datum.grpId + '   ' + format(datum.total, ',.0f') + '   (' + format(datum.percentage, '.1%') + ')'\n          }\n        }\n        hover: {\n          fillOpacity: {value: 1}\n        }\n      }\n    }\n    {\n      type: text\n      from: {data: "groups"}\n      interactive: false\n      encode: {\n        update: {\n          x: {\n            signal: scale('x', datum.stack) + (datum.rightLabel ? bandwidth('x') + 8 : -8)\n          }\n          yc: {signal: "(datum.scaledY0 + datum.scaledY1)\/2"}\n          align: {signal: "datum.rightLabel ? 'left' : 'right'"}\n          baseline: {value: "middle"}\n          fontWeight: {value: "bold"}\n          \/\/ Do not show labels on smaller items\n          text: {signal: "abs(datum.scaledY0-datum.scaledY1) > 13 ? datum.grpId : ''"}\n        }\n      }\n    }\n    {\n      type: group\n      data: [\n        {\n          name: dataForShowAll\n          values: [{}]\n          transform: [{type: "filter", expr: "groupSelector"}]\n        }\n      ]\n      \/\/ Set button size and positioning\n      encode: {\n        enter: {\n          xc: {signal: "width\/2"}\n          y: {value: 30}\n          width: {value: 80}\n          height: {value: 30}\n        }\n      }\n      marks: [\n        {\n          type: group\n          name: groupReset\n          from: {data: "dataForShowAll"}\n          encode: {\n            enter: {\n              cornerRadius: {value: 6}\n              fill: {value: "#f5f5f5"}\n              stroke: {value: "#c1c1c1"}\n              strokeWidth: {value: 2}\n              \/\/ use parent group's size\n              height: {\n                field: {group: "height"}\n              }\n              width: {\n                field: {group: "width"}\n              }\n            }\n            update: {\n              opacity: {value: 1}\n            }\n            hover: {\n              opacity: {value: 0.7}\n            }\n          }\n          marks: [\n            {\n              type: text\n              interactive: false\n              encode: {\n                enter: {\n                  xc: {\n                    field: {group: "width"}\n                    mult: 0.5\n                  }\n                  yc: {\n                    field: {group: "height"}\n                    mult: 0.5\n                    offset: 2\n                  }\n                  align: {value: "center"}\n                  baseline: {value: "middle"}\n                  fontWeight: {value: "bold"}\n                  text: {value: "Show All"}\n                }\n              }\n            }\n          ]\n        }\n      ]\n    }\n  ]\n  signals: [\n    {\n      name: groupHover\n      value: {}\n      on: [\n        {\n          events: @groupMark:mouseover\n          update: "{source_country:datum.stack=='source_country' && datum.grpId, dest_country:datum.stack=='dest_country' && datum.grpId}"\n        }\n        {events: "mouseout", update: "{}"}\n      ]\n    }\n    {\n      name: groupSelector\n      value: false\n      on: [\n        {\n          events: @groupMark:click!\n          update: "{stack:datum.stack, source_country:datum.stack=='source_country' && datum.grpId, dest_country:datum.stack=='dest_country' && datum.grpId}"\n        }\n        {\n          events: [\n            {type: "click", markname: "groupReset"}\n            {type: "dblclick"}\n          ]\n          update: "false"\n        }\n      ]\n    }\n  ]\n}\n<\/pre><\/div>","protected":false},"excerpt":{"rendered":"
Now that we’ve got a lot of data being ingested into our ELK platform, I am beginning to build out visualizations and dashboards. This Vega visualization (source below) shows the number of connections between source and destination countries.<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1588],"tags":[1591,1669,1668],"class_list":["post-9131","post","type-post","status-publish","format-standard","hentry","category-elk","tag-kibana","tag-vega","tag-visualizations"],"_links":{"self":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts\/9131","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=9131"}],"version-history":[{"count":1,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts\/9131\/revisions"}],"predecessor-version":[{"id":9133,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts\/9131\/revisions\/9133"}],"wp:attachment":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=9131"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=9131"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=9131"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}