Create a Sankey diagram query
To generate a Sankey diagram, write a query that returns events in the correct data format.
Query syntax
To generate a Sankey diagram, use this query syntax.
... | stats <stats_function>(<size_field>) [<stats_function>(<color_field>)] by <source_category_field> <target_category_field>
Query components
A Sankey diagram query includes the following components.
size_field
- Required
- This field determines link width between source and target categories. Use a stats function to aggregate values in this field.
color_field
- Optional
- This field determines link color. Sankey diagrams that include a color field are called "double measure".
source_category_field
- Required
- Metric flow starts in this field. This is sometimes described as the "from" category.
target_category_field
- Required
- Metric flow ends in this field. This is sometimes described as the "to" category.
Search result data formatting
The Sankey diagram query syntax returns results in a table with multiple columns. Columns represent data for source, target, connection size, and connection color.
Check the Statistics tab after running a query to make sure that the results table includes the correct columns in the required order.
Results table columns
| First | Second | Third | Fourth |
|---|---|---|---|
| Source | Target | Link size | Link color |
Example query
Here is part of a Sankey diagram query tracking byte transfer sums between source and target hosts.
... | stats sum(bytes) count by source target
The query generates a results table with columns for the source, target, sum(bytes), and count fields.
| Sankey diagram installation | Visualization components |
This documentation applies to the following versions of Sankey Diagram: 1.0.0, 1.1.0, 1.2.0, 1.3.0, 1.5.0, 1.6.0
Download manual
Feedback submitted, thanks!