search
Knowledge BaseRelease NotesRequest Demo

Visualize Operator

hashtag
Overview

circle-info

The visualize operator is in open beta starting with Panther version 1.110, and is available to all customers. Please take special note of the Limitations listed below, and share any bug reports and feature requests with your Panther support team.

Use the visualize operator to generate a bar or line chart of your query results. 

| visualize <bar|line> <annotation>=<expression>[, ...]

You can use visualize with any results set that has two fields where at least one one field is numeric. It's particularly useful to use visualize with summarize and aggregations like agg.count(). The visualize operator must be used last in a PantherFlow query, and does not filter or transform data.

By default, visualize displays a vertical bar chart, but you can use line or bar to set the type. Further customize the chart using the supported annotations.

hashtag
Limitations

  • The wrong column may be selected when declaring a series= but not an xcolumn=, or vice versa (xcolumn= but not a series)

  • To move a vertical bar chart horizontally (left/right), you must scroll vertically (up/down)

  • A maximum of 999 data points can be visualized

  • Data is graphed in sorted order. For timeseries data, you must sort the data by time if you want it to appear in time order in the graph

  • In bar charts, columns are ordered alphabetically and cannot be rearranged

  • Timeseries data renders incorrectly when used as an axis (xcolumn or ycolumn) value in a bar chart. Use a line chart with timeseries data instead.

hashtag
Supported chart types

  • bar (default)

  • line

    • In order to create a line chart, the field represented on the x-axis must have a date/time data type.

hashtag
Supported annotations

Use annotations with visualize to customize the resulting chart. Separate multiple annotations with a comma.

circle-info

In order to use any of the annotations below, your query must also explicitly set a chart type (bar or line).

Annotation
Description
Supported values
Example

title

The title of the chart. If not provided, the default is <name of x-axis field> vs <name of y-axis field>. If value contains spaces, it must be enclosed in quotation marks.

<String>

title="My Chart"

orientation

The direction of the chart. Applicable only to bar charts. If xcolumn, ycolumn, or series are set, they may take precedence over orientation.

vertical (default) horizontal

orientation=horizontal

legend

The existence and position of a chart legend. The default value is hidden for single-series data and bottom for multi-series data.

To hide the legend, use hidden.

hidden (default for single-series data) visible (defaults to bottom) top bottom (default for multi-series data) left right

legend=right

xcolumn

Name of field that should be represented on the x-axis. (This is not the label of the x-axis.) If a timeseries field, must be used with a line chart.

<String>

xcolumn=mean

ycolumn

Name of field that should be represented on the y-axis. (This is not the label of the y-axis.) If a timeseries field, must be used with a line chart.

<String>

ycolumn=detectionId

series

Name of field that should be used to group data. A chart can be:

  • Single-series: Represented by a single line for line charts and bars made up of a single color for bar charts

  • Multi-series: Represented by multiple lines, each with a different color, for line charts, and bars made up of multiple colors for bar charts

If series is not provided, PantherFlow makes an assumption on which field should be treated as the series value.

<String>

series=email

hashtag
Examples

circle-info

Example data

hashtag
Default bar chart

A table with the title "actionName vs events" is shown, with four vertical columns.

hashtag
Bar chart with legend, orientation, and title set

A table titled "My Chart" with four horizontal columns are shown.

hashtag
Bar chart with agg.count()

This example uses sample data that has more than two fields (like most real-world data sets). The query uses summarize events = agg.count() by actionName to generate a results set with two fields (actionName and events) before visualize is used. Learn more about aggregations on PantherFlow Functions and summarize on Summarize Operator.

This query has unique example data:

circle-info

Example data

A table titled "actionName vs events" is shown with four vertical columns.

hashtag
Line chart with title set

This query has unique example data:

circle-info

Example data

A line chart titled "Last week's events" is shown, with seven data points.

hashtag
Line chart measuring action count by hour

The query below displays the Panther Audit logs action count per hour for the past two days, bucketing the data by hour. A separate chart line is added for each actionName.

circle-info

Unlike the other example queries (which use a datatable to provide mock data), the query below pulls from live data in your panther_logs database.

hashtag
Line chart measuring the number of alerts by detectionId per day

The query below displays the number of alerts by detectionId per day for the past two weeks.

circle-info

Unlike the other example queries (which use a datatable to provide mock data), the query below pulls from live data in your panther_signals database.

hashtag
Bar chart measuring mean time to detection

The query below displays the mean time between when an event is ingested and when a detection is triggered, for the 15 slowest rules by detectionId.

circle-info

Unlike the other example queries (which use a datatable to provide mock data), the query below pulls from live data in your panther_signals database.

hashtag
Bar chart using series

This query has unique example data:

circle-info

Example data:

Under an actionName vs events header is a bar chart. There are four vertical columns, and each column in separated into three colors.
PreviousUnion OperatorNextWhere Operator

Last updated

Was this helpful?