Visualizations
Topics
Visualize enables you to create visualizations of the data in your Energy Logserver indices. You can then build dashboards that display related visualizations. Visualizations are based on Energy Logserver queries. By using a series of Energy Logserver aggregations to extract and process your data, you can create charts that show you the trends, spikes, and dips.
Creating visualization
Create
To create a visualization, go to the “Visualize” tab from the main menu. A new page will appear where you can create or load visualization.
Load
To load previously created and saved visualization, you must select it from the list.
To create a new visualization, you should choose the preferred method of data presentation.
Next, specify whether the created visualization will be based on a new or previously saved query. If on a new one, select the index whose visualization should concern. If visualization is created from a saved query, you just need to select the appropriate query from the list, or (if there are many saved searches) search for them by name.
Visualization types
Before the data visualization will be created, first you have to choose the presentation method from an existing list. Currently, there are five groups of visualization types. Each of them serves different purposes. If you want to see only the current number of products sold, it is best to choose “Metric”, which presents one value.
However, if we would like to see user activity trends on pages at different hours and days, a better choice will be the “Area chart”, which displays a chart with time division.
The “Markdown widget” view is used to place text e.g. information about the dashboard, explanations, and instructions on how to navigate. Markdown language was used to format the text (the most popular use is GitHub). More information and instructions can be found at this link: https://help.github.com/categories/writing-on-github/
Edit visualization and saving
Editing
Editing a saved visualization enables you to directly modify the object definition. You can change the object title, add a description, and modify the JSON that defines the object properties. After selecting the index and the method of data presentation, you can enter the editing mode. This will open a new window with an empty visualization.
At the very top, there is a bar of queries that can be edited throughout the creation of the visualization. It works in the same way as in the “Discover” tab, which means searching the raw data, but instead of the data being displayed, the visualization will be edited. The following example will be based on the “Area chart”. The visualization modification panel on the left is divided into three tabs: “Data”, “Metric & Axes” and “Panel Settings”.
In the “Data” tab, you can modify the elements responsible for which data and how should be presented. In this tab, there are two sectors: “metrics”, in which we set what data should be displayed, and “buckets” in which we specify how they should be presented.
Select the Metrics & Axes tab to change the way each metric is shown on the chart. The data series are styled in the Metrics section, while the axes are styled in the X and Y axis sections.
In the “Panel Settings” tab, there are settings relating mainly to visual aesthetics. Each type of visualization has separate options.
To create the first graph in the char modification panel, in the “Data” tab we add X-Axis in the “buckets” sections. In “Aggregation” choose “Histogram”, in “Field” should automatically be located “timestamp” and “interval”: “Auto” (if not, this is how we set it). Click on the icon on the panel. Now our first graph should show up.
Some of the options for “Area Chart” are:
Smooth Lines - is used to smooth the graph line.
Current time marker – places a vertical line on the graph that determines the current time.
Set Y-Axis Extents – allows you to set minimum and maximum values for the Y axis, which increases the readability of the graphs. This is useful, if we know that the data will never be less than (the minimum value), or to indicate the goals of the company (maximum value).
Show Tooltip – option for displaying the information window under the mouse cursor, after pointing to the point on the graph.
Saving
To save the visualization, click on the “Save” button under the query bar:
give it a name and click the button 
.
Load
To load the visualization, go to the “Management Object”
-> “Saved Object” -> “Visualizations” and select it from the list. From this place,
we can also go into advanced editing mode. To view the visualization
use
button.
Getting Started with Visualizations
Quick Start Guide
To create your first visualization, follow these steps:
Navigation: ELS Console → Visualizations → Create a Visualization
Select Data Source:
Choose an index pattern (e.g.,
security-events-*,alerts-*).Use the time filter to focus on relevant data (e.g., last 24 hours).
Choose Visualization Type:
Options include Line Chart, Pie Chart, Data Table, etc.
Select based on your analysis needs (e.g., trends, distributions).
Configure the Visualization:
Set X-Axis (e.g., time), Y-Axis (e.g., count), and filters (e.g., severity > medium).
Adjust colors and labels for clarity.
Save and Add to Dashboard:
Save with a descriptive name (e.g., “Login Failures Trend”).
Add to an existing dashboard or create a new one.
Tip: Start with a simple Data Table to explore your data before creating complex charts.
Creating Custom Visualizations
Step-by-Step Process
Navigation: ELS Console → Visualizations → Create Visualization
Interfejs tworzenia wizualizacji: wybór danych, typ wykresu, panel podglądu
Step 1: Select Visualization Type
Options: Area Chart, Pie Chart, Heat Map, Data Table, Metric.
Recommendation: Choose based on data type (e.g., Area Chart for trends).
Step 2: Configure Data
Bucket Aggregations: X-Axis (time), Y-Axis (count), Split Series (by severity).
Metrics Aggregations: Count, Average, Sum, Unique Count.
Step 3: Apply Filters
Examples:
event.category: "security",timestamp: last 24h.Purpose: Narrow down to relevant security events.
Step 4: Customize
Settings: Color scheme (Red/Orange/Yellow), Labels, Legends, Tooltips.
Best Practice: Use consistent colors for severity levels.
Step 5: Save
Name the visualization and add it to a dashboard.
Set an auto-refresh interval if needed.
Visualization Types for Security Use Cases
Common Types
Line Chart: Trends (e.g., alert volume over time).
Config: X-Axis: Time, Y-Axis: Count, Split: Severity.
Bar Chart: Comparisons (e.g., top attacking countries).
Config: X-Axis: Country, Y-Axis: Count.
Pie Chart: Distributions (e.g., alert severity).
Config: Slice: Severity, Metric: Count.
Heat Map: Correlations (e.g., risk by host).
Config: X-Axis: Time, Y-Axis: Host, Color: Risk.
Data Table: Lists (e.g., recent events).
Config: Columns: Timestamp, Event, Severity.
Gauge: Metrics (e.g., compliance score).
Config: Metric: Average, Ranges: Green/Yellow/Red.
Map: Geographic views (e.g., attack sources).
Config: Coordinates: source.geo, Size: Attack count.
Goal: Progress (e.g., incident resolution).
Config: Metric: Resolved, Target: 95%.
Timelion: Time series (e.g., anomalies).
Config:
.es(q='anomaly').
Vega: Custom graphs (e.g., network flows).
Config: Custom Vega spec.
Security-Specific
Threat Map: Global attack patterns, color-coded severity, drill-down.
Timeline: Incident progression, filters, exportable.
Risk Heatmap: Time vs. assets, color by risk.
Performance Optimization
Tips
Query: Use narrow time ranges, apply filters, cache queries.
Visualization: Limit panel count, use efficient types, reduce refreshes.
Configuration:
# kibana.yml
visualize:
enableLabs: false
defaultIndex: "security-*"
elasticsearch:
requestTimeout: 60000
shardTimeout: 30000
Troubleshooting
Slow Dashboards: Check latency, index health, reduce complexity.
Errors: Adjust timeouts, aggregation levels, verify patterns.