Best Practice: Create a stacked bar chart over time

If you have detection events and you want them displayed as a stacked bar chart, there are several ways to accomplish this, but the following two examples are the easiest.

For the purposes of the example, we are going to assume that you'd like to have detection events grouped by the DetectName field, put into buckets representing a single day, and display the results as a stacked bar chart over 30 days.

Using `timeChart()`

Between the two common methods stated here, this is probably the easiest.

Here is a good example:

// Filters for these specific event types. Detection events have specific fields.
//
#event_simpleName!=* OR #streamingApiEvent=Event_DetectionSummaryEvent
| EventType=Event_ExternalApiEvent
| ExternalApiType=Event_DetectionSummaryEvent
//
// Create a timechart based. Each "bucket" is one day, with a limit of 20 unique DetectName values.
| timechart(series=DetectName, span=1d, limit=20)

However, this doesn't het us to a stacked bar chart! After this query is completed, click on the paintbrush icon at the right side of the UI. Then scroll down to Interpolation and change the Type to Step after.

Using `groupBy()`

This method gives the same results, but is a slightly more involved process.

// Filters for these specific event types. Detection events have specific fields.
//
#event_simpleName!=* OR #streamingApiEvent=Event_DetectionSummaryEvent
| EventType=Event_ExternalApiEvent
| ExternalApiType=Event_DetectionSummaryEvent
//
// Take the @timestamp for each event, convert it into YYYY-MM-DD format, and save it as "dateBucket".
| dateBucket:=formatTime("%Y-%m-%d", field=@timestamp)
//
// Put the results into the bucket for the day, also grouping by "DetectName". 
| groupBy([dateBucket, DetectName], limit=max)

Select Bar Chart for the visualization and Stacked for the Type.

Knowledge Base