The Sankey Widget can render results as a two-level Sankey diagram. It is good at displaying flows between entities, such as network flows from one IP to another.
||string||The ID of the source node (left side). This value will also be used as the label of the node.|
||string||The ID of the target node (right side). This value will also be used as the label of the node.|
||number||The value that is used to determine the size of the edge between
The Sankey widget is most easily used with its companion query function
can easily be used simply by ensuring the input fields are named as expected.
Here we are using the companion query function to visualize data flowing from
dst_ip. We use the
function to calculate the total
number of bytes sent — where
pkt_size is a field containing the packet size.
sankey(source=src_ip, target=dst_ip, weight=sum(pkt_size))
In some situations it might be easier to produce the input data by hand instead of using the companion function.
rename(class, as=source) | rename(thread, as=target) | groupBy([source, target], function=count(as=weight))
In this case we want to visualize which classes use which threads in a service.
We need to rename the
thread fields to match the expected input;
we do this using the
function, and to produce
fields, we make sure that the function we use in the
names its result