Creating a big number chart

Big number charts display important metrics on the SOC wall that you want your team to monitor. Turn on trending to see how your organization is doing over time.

Before you begin

Create a widget based on one of the following data sources and ensure that you have query results:

Procedure

  1. In the Views section of the widget, give the chart a name and select whether to show the title and the update status.
  2. Select Big Number Chart.
  3. On the General tab, set the value and font size.
  4. Specify the data format as none (no formatting is applied), date, date and time, or number (the latter formats use the locale default formatting).
  5. For offense data sources only, choose how to aggregate the values. The following table describes the available aggregation options:
    Option Description
    First Returns the first value of the selected field in the data set.
    Average Returns the average of all numeric values for the selected field.
    Sum Returns the sum value for the selected field.
    Count Returns a row count of the selected field.
    Maximum Returns the maximum value for the selected field.
    Minimum Returns the minimum value for the selected field.
  6. Turn on trending to compare the current and previous values.
    On the chart, an arrow indicates whether the value increased, decreased, or stayed the same since the previous value.
  7. For numeric data from AQL data sources, set Display 0 if no data is returned to On if you want to prevent a blank chart or a No data was returned message. This behavior matches the standard behavior for offense data sources.
  8. On the Thresholds tab, set thresholds to display conditional color formatting in the chart.
    1. Click Add Threshold Indicator.
    2. Select a threshold indicator, enter a threshold value, and then click Add Value to pick a color or enter an HTML color code in the color palette to make it easier to select the same colors on different charts. For example, if the value is higher than 50, set the background color to red and the data color to black. If you only set the background color, the data color and view name display a contrasting black or white, depending on the background color that you select.
      Note: It is invalid to select a non-numerical column as a threshold. Run the query to get results and check your threshold settings to make sure that they work properly.
  9. Optional: On the Drilldown tab, choose a drill down action for when the big number chart is clicked. You can open a dashboard, a URL, or a specific page in the source application (IBM QRadar or QRadar Analyst Workflow).
    1. If you chose to open a dashboard, select the dashboard to open and choose whether to open it in the current window or in a new window.
      Tip: If you drill down to a different dashboard in the same window, you can use the breadcrumb trail to return to previous dashboards in the drill path.
    2. If you chose to open a URL, specify an absolute path to open an external URL (for example, https://www.ibm.com) or a relative path to open a QRadar page, such as DNS lookup. The URL opens in a new browser window.

      You can define any number of parameters anywhere in the URL. Enclose parameters in braces ({}), then select a value for each parameter.

      The following table lists some typical QRadar URLs with parameters:
      Description URL
      QRadar port scan

      The data source must include source or destination IP addresses. The {ip_address} string defines an ip_address URL parameter for a source or destination IP address column. Then, when you drill down on a table row, the port scan page opens to the source or destination IP address of the row.

      		 
      /console/core/jsp/investigate.jsp?type=port_scan&host={ip_address}
      QRadar DNS lookup

      The data source must include source or destination IP addresses. The {ip_address} string defines an ip_address URL parameter for a source or destination IP address column. Then, when you drill down on a table row, the DNS lookup page opens to the source or destination IP address of the row.

      		 
      /console/core/jsp/investigate.jsp?type=dns_lookup&host={ip_address}
      QRadar WHOIS lookup

      The data source must include source or destination IP addresses. The {ip_address} string defines an ip_address URL parameter for a source or destination IP address column. Then, when you drill down on a table row, the WHOIS lookup page opens to the source or destination IP address of the row.

      		 
      /console/core/jsp/investigate.jsp?type=whois_lookup&host={ip_address}
      QRadar Offense Summary page

      The data source must include offense IDs. The {offense_id} string defines an offense_id URL parameter for an ID column. Then, when you drill down on a table row, the Offense Summary page opens to the offense ID of the row.

      		 
      /console/do/sem/offensesummary?appName=Sem&pageId=OffenseSummary&summaryId={offense_id}
  10. Preview how the chart looks and then click Save.
    Tip: The labels for the chart come from the queries that are used. If they are unintelligible in the preview, edit the labels in the View section.