This example uses the following malware detection query as the foundation. The query groups malware detection events by hostname and shows the top 10 affected systems:

// Affected Systems
event_type=malware
| groupby(hostname)
| sort(field=_count, order=desc)
| top(10)

Best for: Comparing quantities across systems visually

Bar charts make comparisons immediate and visual. You can instantly see which systems have the most detections without reading numbers. The horizontal bars allow for easy comparison of relative magnitudes.

event_type=malware
| groupby(hostname)
| sort(field=_count, order=desc)
| head(10)
// Create a bar chart using the following parameters:
//    xLabel="Hostname"
//    yLabel="Number of malware detections"

Use bar charts when you need to compare quantities across categories and want visual impact. They are ideal for executive dashboards and presentations where quick comprehension is essential.

Best for: Detailed information and exact numbers

Tables provide the exact counts that charts approximate. They are essential when users need precise values, want to sort or filter data, or need to copy specific numbers for reports.

event_type=malware
| groupby(hostname)
| sort(field=_count, order=desc)
| head(10)
| table([
    hostname,
    _count
])

Place table widgets below chart visualizations on dashboards. This allows users to get the visual overview from charts and then drill down to exact details in the table.

Best for: Showing proportional distribution

Pie charts reveal how the whole breaks down into parts. They make it obvious when one or two systems dominate the detections. However, they become less effective with many small slices.

event_type=malware
| groupby(hostname)
| sort(field=_count, order=desc)
| head(10)
// Create a pie chart using the following parameters:
//  title="Distribution of malware detections by host"

Use pie charts when proportions matter more than absolute values. Limit to 5-7 categories for best readability. For more categories, prefer bar charts.

Best for: Quick overview of total affected systems

Single value widgets provide instant status awareness. They answer the question "how many?" at a glance without requiring any interpretation. Essential for KPI dashboards and monitoring screens.

event_type=malware
| count(hostname)
// Create a single value widget using the following parameters:
//    title="Total affected systems"
//    threshold=
//        {value: 5, color: "green"}
//        {value: 10, color: "yellow"}
//        {value: 15, color: "red"}

Place single value widgets at the top of dashboards as the first thing users see. Use color-coded thresholds to indicate severity and draw attention to critical numbers.

Best for: Showing patterns over time per system

Heat maps reveal temporal patterns that other visualizations miss. They show when malware detections peak and help identify time-based patterns like business hours vs. off-hours activity.

event_type=malware
| eval(
     hour=time:hour(@timestamp),
    day=time:dayOfWeek(@timestamp)
)
|  groupBy(field=[day,hour])
// Create a heatmap using the following parameters:
//    x=hour
//    y=day
//    value=count()
//    title="Malware detection pattern by system"

Use heat maps to identify recurring patterns and anomalies. They are particularly effective for security monitoring where time-of-day patterns can indicate automated attacks or compromised accounts.

When combining these widgets into a single dashboard, organize them to guide users from high-level overview to detailed information:

This layout follows the principle of progressive disclosure: start with the big picture and progressively reveal more detail as users scroll down.

For more information about widgets and dashboards, see: