Basics of managing widgets

The principle of data display in the widget depends on the type of the graph. The following graph types are available in KUMA:

Basics of general widget management

The name of the widget is displayed in the upper left corner of the widgets. By clicking the link with the name of the widget about events, alerts, incidents, or active lists, you can go to the corresponding section of the KUMA web interface.

A list of tenants for which data is displayed is located under the widget name.

In the upper right corner of the widget, the period for which data is displayed on the widget is indicated (for example, 30 days ). Keep in mind that the data displayed in the dashboard may lag behind real time because of caching. You can view the date and time of the last update by hovering over the period icon.

If the Show data for previous period setting is enabled for the widget, and the widget is displaying data for a relative period, the tooltip also displays the previous period. The previous period is calculated relative to the current period as start and end values of the current period minus the duration of the current period. For example, if data is updated daily and displayed for a month, but only the first 10 days of the month have passed, the previous period is taken to be the last 10 days of the previous month.

You can change the data display period for the widget by clicking the period icon and selecting an exact date or a relative period in the window that is displayed. If you want the widget to display data for the period selected for the layout, click the Reset button. Changing the displayed period on the layout also changes the period displayed in the widget.

The time in the widget is displayed in the local time zone set in the browser.

The CSV button is located to the left of the period icon. You can download the data displayed on the widget in CSV format (UTF-8 encoding). The downloaded file name has the format <widget name>_<download date (YYYYMMDD)>_<download time (HHMMSS)>.CSV.

The widget displays data for the period selected in widget or layout settings only for the tenants that are selected in widget or layout settings.

If you have enabled the Show total toggle switch in the widget settings, the widget displays the Total value, but when you download the widget in CSV format, the Total value is not displayed. To display the Total value in the report, you can use Excel formulas or manually copy the total value from the widget.

Basics of managing Pie chart graphs

A pie chart with a legend is displayed below the list of tenants. The legend lists the names of the categories corresponding to the sectors of the diagram. By left-clicking a category in the legend, you can go to the section of the KUMA web interface with the corresponding data. The data in that section is sorted in accordance with the filters and/or search query specified in the widget.

When going from the legend of the widget to the events details section, pay attention to the text of the legend item that you click to go to the events section. Any \ or ' characters used in the text are escaped in the text of the SQL query. However, the / character is not escaped.

Under the period icon, the number of events, active lists, assets, alerts, or incidents grouped by the selected criteria for the data display period will be displayed.

Examples:

  • In the Alerts by status widget, under the period icon, the number of alerts grouped by the New, Open, Assigned, or Escalated status is displayed.

    If you want to see the legend only for alerts with the Opened and Assigned status, you can clear the check boxes to the left of the New and Escalated statuses.

  • In the Events widget, for which the SQL query SELECT count(ID) AS `metric`, Name AS `value` FROM `events` GROUP BY Name ORDER BY `metric` DESC LIMIT 10 is specified, 10 events are displayed below the period icon, grouped by name and sorted in descending order.

    If you want to view events with specific names in the legend, you can clear the check boxes to the left of the names of events that you do not want to see in the legend.

Basics of managing Counter graphs

Graphs of this type display the sum total of selected data.

Example 4:

The Number of assets widget displays the total number of assets added to KUMA.

Example 4:

If you want to view trends to compare current data with data for a past period, you can create a widget that displays upward or downward trends. Trends can be configured in the following widgets:

  • Assets → Number of assets.
  • Assets → Customized widget.
  • Alerts → Active alerts.
  • Alerts → Unassigned alerts.
  • Incidents → Active incidents.
  • Incidents → Unassigned incidents .
  • Incidents → All incidents.
  • Users -> Number of AD users.

    To configure the display of trends, you need to enable the Show data for previous period toggle switch, and then select a trend on the Appearance tab. If the percentage value cannot be calculated, or if the values are equal, the Horizontal bar. icon is displayed. If Up is better is selected, an uptrend is indicated by a green arrow on the chart, and a downtrend is indicated by a red arrow. If Down is better is selected, an uptrend is indicated by a red arrow on the chart, and a downtrend is indicated by a green arrow.

    You can click the value to change the display of data in the widget (for example, to display absolute values instead of percentages). This functionality is available when the widget is displayed on the dashboard and when the TV mode is on.

Basics of managing Table graphs

Graphs of this type display data in a table format.

Example:

In the Events widget, for which the SQL query SELECT TenantID , Timestamp , Name , DeviceProduct , DeviceVendor FROM `events` LIMIT 10 is specified, displays an event table with TenantID, Timestamp, Name, DeviceProduct, and DeviceVendor columns. The table contains 10 rows.

You can customize the display of data in the table using two-color (red and green) or three-color (red, yellow, and green) gradient fill. After selecting the type of gradient, you can adjust the direction of the fill by clicking the toggle direction icon (swap_arrow_icon) and set thresholds. Two values must be specified for a two-color gradient, and three for a three-color gradient. These values are displayed in the legend and determine the color of the marker added to the cell of the selected column. The column is specified in the Field for gradient indicator drop-down list.

Basics of managing Bar chart graphs

A bar chart with a legend is displayed below the list of tenants. The legend lists the names of the categories corresponding to the bars of the diagram. By left-clicking a category in the legend, you can go to the section of the KUMA web interface with the corresponding data. The data in that section is sorted in accordance with the filters and/or search query specified in the widget.

When going from the legend of the widget to the events details section, pay attention to the text of the legend item that you click to go to the events section. Any \ or ' characters used in the text are escaped in the text of the SQL query. However, the / character is not escaped.

Example:

In the a Netflow top internal IPs widget for which the SQL query SELECT sum(BytesIn) AS metric, DestinationAddress AS value FROM `events` WHERE (DeviceProduct = 'netflow' OR DeviceProduct = 'sflow') AND (inSubnet(DestinationAddress, '10.0.0.0/8') OR inSubnet(DestinationAddress, '172.16.0.0/12') OR inSubnet(DestinationAddress, '192.168.0.0/16')) GROUP BY DestinationAddress ORDER BY metric DESC LIMIT 10 is specified, the x-axis of the chart corresponds to the total traffic in bytes, and the y-axis corresponds to destination port addresses. The data is grouped by destination address in descending order of total traffic.

You can also customize the display of bars using two-color (red and green) or three-color (red, yellow, and green) gradient fill. After selecting the type of gradient, you can adjust the direction of the fill by clicking the toggle direction icon (swap_arrow_icon ) and set thresholds. Two values must be specified for a two-color gradient, and three for a three-color gradient. These values are displayed in the legend and determine the coloring of the bars.

Basics of managing Date Histogram graphs

A Date Histogram with a legend is displayed below the list of tenants. The legend lists the names of the categories corresponding to the bars of the diagram. By left-clicking a category in the legend, you can go to the section of the KUMA web interface with the corresponding data. The data in that section is sorted in accordance with the filters and/or search query specified in the widget.

When going from the legend of the widget to the events details section, pay attention to the text of the legend item that you click to go to the events section. Any \ or ' characters used in the text are escaped in the text of the SQL query. However, the / character is not escaped.

If, when creating a widget with a Date Histogram type, the Bar chart view is selected, you can customize the display of the bars using two-color (red and green) or three-color (red, yellow, and green) gradient fill. After selecting the type of gradient, you can adjust the direction of the fill by clicking the toggle direction icon (swap_arrow_icon) and set thresholds. Two values must be specified for a two-color gradient, and three for a three-color gradient. These values are displayed in the legend and determine the coloring of the bars.

Example:

SELECT count(ID) AS `metric`, Timestamp AS `value`

FROM `events`

GROUP BY Timestamp

ORDER BY `metric` DESC

LIMIT 10

The X axis of the chart shows the date when the event was created, and the Y axis shows the number of events. The bars of the chart are arranged from left to right in descending order of the number of events.

If an additional field with the category alias is used in the SQL query, the bar chart is displayed as a stacked bar chart. In this case, gradient fill is not applied.

Example:

SELECT count(ID) AS `metric`, Timestamp AS `category`, Type AS `value`

FROM `events`

GROUP BY Timestamp, Type

ORDER BY metric DESC

LIMIT 10

The X axis indicates the time intervals, and the Y axis indicates the number of events. Each segment of the bar corresponds to a value of the field marked as Type.

If, when creating a widget with a Date Histogram type, the Line chart view is selected, there are two options for displaying the chart: single line (if only the metric and value fields are specified in the query) and multiple lines (if an additional field with the category alias is used). This lets you compare values for different groups, depending on which field is used for grouping in the query. For example, correlation rules, users, or hosts can be used. No gradient fill is applied to such charts.

Example of a query to display a line chart with multiple lines

SELECT count(ID) AS `metric`, Timestamp AS `category`, CorrelationRuleName AS `value`

FROM `events`

WHERE Type = 3

GROUP BY Timestamp, CorrelationRuleName

ORDER BY metric DESC

LIMIT 10

The chart displays the intervals on the X-axis (the field specified as the category). The Y-axis displays the number of times the correlation rules were triggered (the field marked as metric). Each line on the chart corresponds to a unique value in the value field (in this case, the name of the correlation rule).

You can use the following time fields for grouping in a Date Histogram:

  • Timestamp
  • DeviceCustomDate1
  • DeviceCustomDate2
  • EndTime
  • FileCreateTime
  • FileModificationTime
  • FlexDate1
  • OldFileCreateTime
  • OldFileModificationTime
  • DeviceReceiptTime
  • StartTime

For convenience, we recommend using supported ClickHouse functions to round the values in the time field (Timestamp), for example, to 1 hour or 1 day.

For a Date Histogram widget with the Line chart view, you can also configure the display of the average value. To do this, on the Appearance tab, for the Regression setting, select LOESS.

Basics of managing Line chart graphs

A line chart with a legend is displayed below the list of tenants. The legend displays the names of the categories corresponding to the lines on the chart. By left-clicking a category in the legend, you can go to the section of the KUMA web interface with the corresponding data. The data in that section is sorted in accordance with the filters and/or search query specified in the widget.

When going from the legend of the widget to the events details section, pay attention to the text of the legend item that you click to go to the events section. Any \ or ' characters used in the text are escaped in the text of the SQL query. However, the / character is not escaped.

Example:

In the Events widget, for which the SQL query SELECT count(ID) AS `metric`, SourcePort AS `value` FROM `events` GROUP BY SourcePort ORDER BY `value` ASC LIMIT 250 is specified, the x-axis corresponds to the approximate port number, and the y-axis corresponds to the number of events. The data is grouped by port number in ascending order.

For a Line chart widget, you can also configure the display of the average value. To do this, on the Appearance tab, for the Regression setting, select Linear. If the chart displays multiple categories, the average is displayed for each category.

Basics of managing graphs of the Stacked bar chart type

A stacked bar chart with a legend is displayed below the list of tenants. The legend displays the names of the categories that make up parts of each bar. To the left of each category is a check box that lets you hide or show the category. The number of bars in the chart corresponds to the number of values in the selected grouping. The bars have captions. The color of the corresponding category in the bar is assigned automatically. When you hover over the zones of the bars, a tooltip is displayed with the value and a description of the value. You can left-click a category in the legend to go to the section of the KUMA web interface with the relevant data.

When going from the legend of the widget to the events details section, pay attention to the text of the legend item that you click to go to the events section. Any \ or ' characters used in the text are escaped in the text of the SQL query. However, the / character is not escaped.

The meaning of bar height depends on the Format setting:

If, when creating a custom widget based on the stacked bar chart, you selected the Show data for previous period option, and the standard value, category, metric aliases are used in the query, the chart displays previous-period data as separate bars. However, if instead of the standard metric, the query uses a custom metric calculation with non-standard aliases, the Show data for previous period is not taken into account when displaying the chart (see example queries below).

Examples:

When creating a custom widget of the Stacked Bar chart type based on an SQL query of an Events widget, the following rules apply:

  • The field in the query that is marked as the value alias (required field) is used in the chart as the field by which the legend is created and the bars are divided into categories.
  • The field in the query that is marked as the category alias (required field) is used in the chart as the field that defines the arrangement of bars along the X axis.
  • The field in the query marked as the metric alias is used in the chart as the field that defines how bar areas are counted. In this case, the distribution is performed automatically.

However, you can manage the count by using standard aggregation functions (sum, avg, min, max, count) and your own arbitrarily named aliases as metrics instead of the standard metric alias (in this case, the display of data for the previous period is not supported).

Example 1:

For the Events widget, the following SQL query is specified with standard aliases, and the Show data for previous period option was selected when creating the widget:

SELECT count(ID) AS `metric`,

Type AS `value`,

TenantID AS `category`

FROM `events`

GROUP BY value, category

ORDER BY metric DESC

The X-axis stands for tenants (the field marked as the category), the Y-axis stands for the number of events of a certain type (the field marked as the value). Inside each bar, the quantity corresponding to a certain type is represented by a certain color. In the legend, the names of the event types by which the bars are divided are displayed as categories. Each category has an automatically assigned corresponding color on the bar. If you want to view only certain event types in the chart, you can clear or select the check boxes to the left of the corresponding event types in the legend.

Next to each bar, an additional bar is displayed with historical data, if such data was received in the query response.

Example 4:

For the Events widget, the following SQL query is marked with custom metrics marked as the Base and Audit aliases instead of the standard metric alias:

SELECT SUM(IF (Type = 1,1,0)) AS `Base`,

SUM(IF (Type = 4,1,0)) AS `Audit`,

TenantID as `category`

FROM `events`

GROUP BY category

The X-axis stands for tenants (the field marked as category), the Y-axis stands for the number of events of each type (custom metrics marked as the Base and Audit aliases). Inside each bar, the quantity corresponding to a certain metric is represented by a certain color. In the legend, the Base and Audit metrics by which the bars are divided into categories are displayed as category names. Each category has an automatically assigned corresponding color on the bar. If you want to view only event corresponding to a certain metric in the chart, you can clear or select the check boxes to the left of the relevant metric in the legend.

The additional bar with historical data is not displayed for a query with custom metrics, even if the Show data for previous period option was selected when creating the widget.

Example 3:

For the Events widget, the following SQL query is specified with standard aliases:

SELECT count(ID) AS `metric`,

TenantID as `value`,

Type as `category`

FROM events

GROUP BY value, category

ORDER BY metric DESC

In contrast to the similar query in example 1, in this case, the X-axis stands for the types of events (the field marked as the category), and the tenants (the field marked as the value) are represented by ranges of values in the bars (along the X axis) and the corresponding captions in the legend.

Example 4:

For the Events widget, the following SQL query is specified with standard aliases:

SELECT count(ID) AS `metric`,

CAST(fromUnixTimestamp64Milli(Timestamp) AS DATE) AS `category`,

Type as `value`

FROM `events`

GROUP BY category, value

ORDER BY category DESC

The chart displays the days of the month on the X axis (the field marked as the category). The Y axis displays the number of events of a particular type (the field marked as the value).

To create a similar chart with bars arranged by date and/or time, use a query with grouping and sorting by the following fields of the timestamp type:

  • Timestamp
  • DeviceCustomDate1
  • DeviceCustomDate2
  • EndTime
  • FileCreateTime
  • FileModificationTime
  • FlexDate1
  • OldFileCreateTime
  • OldFileModificationTime
  • DeviceReceiptTime
  • StartTime

We recommend using the Date Histogram to work with data that is arranged by date and/or time.

Basics of managing Speedometer charts

This type of chart displays the percentage of the number of objects of the selected category vs the total number of objects for a certain period. The Speedometer chart can be used for the following objects:

The value on the chart is displayed as a percentage with a color matching the configured ranges of values. By default, the following ranges are specified: 0–30, 30–70, 70–100.

Example 4:

In the Assets customized widget, the user selects an asset category for comparing the number of assets in it with the total number of assets. The user can specify threshold values for the scale on the graph. Then, based on one or more conditions for the Y-axis, a calculation is performed with the existing asset database.

Example 4:

In the Alerts widget, you can select the Speedometer chart type for the Active alerts and Unassigned alerts categories. For alerts, a tenant and a period for analysis are selected. By default, these values match the values specified in the relevant dashboard. In the total number of alerts, you can also display data for the previous period.

The percentage value for the Active incidents and Unassigned incidents categories is calculated in the same way in the Incidents widget.

Example 4:

In the Events widget, for the Speedometer chart type, the user specifies a tenant, a period for analysis, and the event data storage. The SQL query is displayed as follows:

SELECT count(ID) AS `metric`, SourcePort AS `value` FROM `events` GROUP BY SourcePort ORDER BY value ASC LIMIT 250

Page top