The Sankey Widget can render results as a two-level Sankey diagram. It is good at displaying flows between entities, such as network flows from one IP to another.
| Field | Type | Description |
|---|---|---|
source |
string | The ID of the source node (left side). This value will also be used as the label of the node. |
target |
string | The ID of the target node (right side). This value will also be used as the label of the node. |
weight |
number | The value that is used to determine the size of the edge between source and target, scaled automatically. This could be used to represent the traffic between two IP addresses. |
The Sankey widget is most easily used with its companion query function sankey
, but can easily be used simply by ensuring the input fields are named as expected.
Here we are using the companion query function to visualize data flowing from src_ip to dst_ip. We use the sum
function to calculate the total number of bytes sent — where pkt_size is a field containing the packet size.
sankey(source=src_ip, target=dst_ip, weight=sum(pkt_size))
In some situations it might be easier to produce the input data by hand instead of using the companion function.
rename(class, as=source) | rename(thread, as=target) | groupBy([source, target], function=count(as=weight))
In this case we want to visualize which classes use which threads in a service. We need to rename the class and thread fields to match the expected input; we do this using the rename
function, and to produce weight fields, we make sure that the function we use in the groupBy
names its result weight.