Sankey

The Sankey Widget can render results as a two-level Sankey diagram. It is good at displaying flows between entities, such as network flows from one IP to another.

Input format

Field Type Description
source string The ID of the source node (left side). This value will also be used as the label of the node.
target string The ID of the target node (right side). This value will also be used as the label of the node.
weight number The value that is used to determine the size of the edge between source and target, scaled automatically. This could be used to represent the traffic between two IP addresses.

Usage

The Sankey widget is most easily used with its companion query function sankey , but can easily be used simply by ensuring the input fields are named as expected.

Example 1: Network traffic

Here we are using the companion query function to visualize data flowing from src_ip to dst_ip. We use the sum function to calculate the total number of bytes sent — where pkt_size is a field containing the packet size.

sankey(source=src_ip, target=dst_ip, weight=sum(pkt_size))

Example 2: Thread usage

In some situations it might be easier to produce the input data by hand instead of using the companion function.

rename(class, as=source) | rename(thread, as=target) | groupBy([source, target], function=count(as=weight))

In this case we want to visualize which classes use which threads in a service. We need to rename the class and thread fields to match the expected input; we do this using the rename function, and to produce weight fields, we make sure that the function we use in the groupBy names its result weight.