Creating a big number chart

Big number charts display important metrics on the SOC wall that you want your team to monitor. Turn on trending to see how your organization is doing over time.

Before you begin

Create a widget based on one of the following data sources and ensure that you have query results:


  1. In the Views section of the widget, give the chart a name and select whether to show the title and the update status.
  2. Select Big Number Chart.
  3. On the General tab, set the following properties:
    1. Select a value and font size.
    2. Set the data format type.
      Tip: If you select an Enriched data format, then the data is labeled with a data decorator. You can also configure a severity icon that precedes the enriched data.
  4. For offense data sources only, choose how to aggregate the values. The following table describes the available aggregation options:
    Option Description
    First Returns the first value of the selected field in the data set.
    Average Returns the average of all numeric values for the selected field.
    Sum Returns the sum value for the selected field.
    Count Returns a row count of the selected field.
    Maximum Returns the maximum value for the selected field.
    Minimum Returns the minimum value for the selected field.
  5. Turn on trending to compare the current and previous values.
    On the chart, an arrow indicates whether the value increased, decreased, or stayed the same since the previous value.
  6. For numeric data from AQL data sources, set Display 0 if no data is returned to On if you want to prevent a blank chart or a No data was returned message. This behavior matches the standard behavior for offense data sources.
  7. On the Thresholds tab, set thresholds to display conditional color formatting in the chart.
    1. Click Add Threshold Indicator.
    2. Select a threshold indicator, enter a threshold value, and then click Add Value to pick a color or enter an HTML color code in the color palette to make it easier to select the same colors on different charts. For example, if the value is higher than 50, set the background color to red and the data color to black. If you only set the background color, the data color and view name display a contrasting black or white, depending on the background color that you select.
      Note: It is invalid to select a non-numerical column as a threshold. Run the query to get results and check your threshold settings to make sure that they work properly.
  8. Optional: On the Drilldown tab, choose a drill down action for when the big number chart is clicked. You can open a dashboard, a URL, or a panel.
    1. If you chose to open a dashboard, select the dashboard to open and choose whether to open it in the current window or in a new window.
      Tip: If you drill down to a different dashboard in the same window, you can use the breadcrumb trail to return to previous dashboards in the drill path.
    2. If you chose to open a URL, specify an absolute path to open an external URL (for example, Choose whether to open the URL in the current window or in a new window. If you open an external URL in the current window, it replaces the console.

      You can define any number of parameters anywhere in the URL. Enclose parameters in braces ({}), then select a value for each parameter. For example,{ip_address}.

    3. If you chose to open a panel, select the drill down column and enrichment type.
      For example, if the selected drill down column represents a source IP address, then select Enriched IPv4 as the enrichment type, so the panel opens with the details and enrichment for this IP address.
  9. Preview how the chart looks and then click Save.
    Tip: The labels for the chart come from the queries that are used. If they are unintelligible in the preview, edit the labels in the View section.