Creating a bar chart

Bar charts are useful for comparing similar attributes between objects over time, such as the number of events from different log sources over a selected time period.

Before you begin

Create a widget based on one of the following data sources and ensure that you have query results:

Procedure

  1. In the Views section of the widget, give the chart a name and select whether to show the title and the update status.
  2. Select Bar Chart.
  3. On the General tab, set the following properties:
    1. Select a field for the category.
    2. Set a value for the category.
    3. Select the display colors. If you have only one series, choose whether to color each bar differently (Default) or all as one color (Monochrome). If you have more than one series, choose a color for each series.
    4. For offense data sources only, click More options, select the axis label, and choose how to aggregate the values. The following table describes the available aggregation options:
      Option Description
      No aggregation For each unique category (x-axis), returns the sum of each value of the selected field.
      First For each unique category (x-axis), returns the first value of the selected field.
      Average For each unique category (x-axis), returns the average of the selected field.
      Sum For each unique category (x-axis), returns the sum of each value of the selected field.
      Count For each unique category (x-axis), returns a row count of the selected field.
      Maximum For each unique category (x-axis), returns the largest numeric value of the selected field.
      Minimum For each unique category (x-axis), returns the smallest numeric value of the selected field.
    5. Optional: If you have a lot of information to convey, set Stack Series to On. Stacked charts are useful for comparing proportional contributions within a category. They plot the relative value that each data series contributes to the total.
    6. Select the Orientation for the bars to display: vertical or horizontal. The default orientation is Vertical. Use the Horizontal orientation when you have long labels for the categories that might be cut off if you display as a vertical bar chart or if you don't have much data to display.
    7. Set Show Legend to Yes and set the orientation.
  4. On the Axes tab, set the Category Axis Type based on the data that is retrieved from the query. The following table describes the available axis types:
    Type Description
    None The chart attempts to automatically determine the type based on the data set.
    Linear Numeric axis mode. Displays a range of numbers. Each bar represents a unique numerical value for each selected field, and bars are spaced in a linear manner according to their values.
    Category Non-numeric axis mode. Each bar represents a unique category. Bars are spaced evenly in the chart display.
    Log Numeric axis mode. Bars display as unique numerical values, and are spaced in a logarithmic manner according to their values.
  5. Set the Value Axis Type based on the data that is retrieved from the query. The following table describes the available axis types:
    Type Description
    None Displays a range of numbers, depending on the selected fields.
    Linear Displays a range of numbers.
    Log Displays a large range of values in a log-10 scale.
  6. Set the Value Axis Range to On to make it easier to compare data in different charts.
  7. Optional: On the Drilldown tab, choose a drill down action for when a bar or segment is clicked in the bar chart. You can open a dashboard, a URL, or a specific page in the source application (IBM QRadar or QRadar Analyst Workflow).
    1. If you chose to open a dashboard, select the dashboard to open, optionally select dashboard parameter values, and choose whether to open it in the current window or in a new window.

      If you set parameters, they are passed to the target dashboard based on the bar or segment that was clicked in the bar chart. For example, if you set an ID parameter, the bar or segment ID is passed as a parameter to the target dashboard. If you set a dashboard parameter value to Default, no parameter value is passed to the target dashboard; the existing session or default parameter value is used or the parameter field is blank in the target dashboard Parameters card.

      Tip: If you drill down to a different dashboard in the same window, you can use the breadcrumb trail to return to previous dashboards in the drill path.
    2. If you chose to open a URL, specify an absolute path to open an external URL (for example, https://www.ibm.com) or a relative path to open a QRadar page, such as DNS lookup. The URL opens in a new browser window.

      You can define any number of parameters anywhere in the URL. Enclose parameters in braces ({}), then select a value for each parameter.

      The following table lists some typical QRadar URLs with parameters:
      Description URL
      QRadar port scan

      The data source must include source or destination IP addresses. The {ip_address} string defines an ip_address URL parameter for a source or destination IP address column. Then, when you drill down on a table row, the port scan page opens to the source or destination IP address of the row.

      /console/core/jsp/investigate.jsp?type=port_scan&host={ip_address}
      QRadar DNS lookup

      The data source must include source or destination IP addresses. The {ip_address} string defines an ip_address URL parameter for a source or destination IP address column. Then, when you drill down on a table row, the DNS lookup page opens to the source or destination IP address of the row.

      /console/core/jsp/investigate.jsp?type=dns_lookup&host={ip_address}
      QRadar WHOIS lookup

      The data source must include source or destination IP addresses. The {ip_address} string defines an ip_address URL parameter for a source or destination IP address column. Then, when you drill down on a table row, the WHOIS lookup page opens to the source or destination IP address of the row.

      /console/core/jsp/investigate.jsp?type=whois_lookup&host={ip_address}
      QRadar Offense Summary page

      The data source must include offense IDs. The {offense_id} string defines an offense_id URL parameter for an ID column. Then, when you drill down on a table row, the Offense Summary page opens to the offense ID of the row.

      /console/do/sem/offensesummary?appName=Sem&pageId=OffenseSummary&summaryId={offense_id}
    3. If you chose to open a page in the source application, select the page to open and specify a data column for each URL parameter. (At this time, only the Offense Summary page is available and only an offense_id URL parameter is required.)

      Depending on the source application, the page will open in either IBM QRadar or QRadar Analyst Workflow.

  8. Preview how the chart looks and then click Save.