Create a Sankey diagram query
To generate a Sankey diagram, write a query that returns events in the correct data format.
To generate a Sankey diagram, use this query syntax.
... | stats <stats_function>(<size_field>) [<stats_function>(<color_field>)] by <source_category_field> <target_category_field>
A Sankey diagram query includes the following components.
- This field determines link width between source and target categories. Use a stats function to aggregate values in this field.
- This field determines link color. Sankey diagrams that include a color field are called "double measure".
- Metric flow starts in this field. This is sometimes described as the "from" category.
- Metric flow ends in this field. This is sometimes described as the "to" category.
Search result data formatting
The Sankey diagram query syntax returns results in a table with multiple columns. Columns represent data for source, target, connection size, and connection color.
Check the Statistics tab after running a query to make sure that the results table includes the correct columns in the required order.
Results table columns
|Source||Target||Link size||Link color|
Here is part of a Sankey diagram query tracking byte transfer sums between source and target hosts.
... | stats sum(bytes) count by source target
The query generates a results table with columns for the source, target, sum(bytes), and count fields.
Sankey diagram installation
This documentation applies to the following versions of Sankey Diagram: 1.0.0, 1.1.0, 1.2.0, 1.3.0, 1.5.0