Field Graph Widget
The Field Graph widget is one of the most versatile visualization tools in DataBee. It displays a time-series chart showing how many records match your configured query over time, with the option to aggregate a numeric field using count, minimum, maximum, or average. Use this widget to track trends in any OCSF activity table — from network traffic volumes and authentication event spikes to process activity patterns.
Configuration
Click + Add Widget, select Field Graph, and click Next.
Field | Required | Description | Default |
Widget Name | Yes | A descriptive title (e.g., 'Network Activity Over Time', 'Authentication Events by Hour'). | — |
Table | Yes | The OCSF activity table to query. Start typing to filter the list of 80+ available tables. | — |
Time Range | No | Period to display. Use Global inherits the console's time range. | Use Global |
Query | No | A DataBee search query to filter records. Leave blank to include all records. See Query Syntax below. | Empty |
Aggregation Field | No | A numeric field to aggregate instead of counting records. Only used with Min/Max/Average methods. | Empty |
Aggregation Method | No | How to calculate the chart values: Count, Min, Max, or Average. | Count |
Display | No | Chart visualization type. | Line Chart |
Graph Summary | No | An optional description providing additional context about the chart. | Empty |
Selecting a Table
The Table field gives you access to every OCSF activity table in your data lake. With 80+ tables available, typing to filter is the fastest way to find what you need. For example, typing 'network' narrows the list to Network Activity, Network Connection Query, etc.
Common tables include:
Table | Contains | Example Use |
Authentication | Login events — success, failure, MFA challenges | Track failed login attempts over time |
Network Activity | Network connections with source/dest IPs and ports | Monitor traffic volume trends |
DNS Activity | DNS queries and responses | Detect DNS tunneling or unusual query patterns |
HTTP Activity | HTTP requests and responses | Track web traffic volumes |
Process Activity | Process creation and termination events | Monitor for suspicious process execution |
Detection Finding | Detection rule matches and alerts from SIEM/EDR | Track alert volume over time |
Vulnerability Finding | Vulnerability scan results and CVE matches | Monitor vulnerability discovery rates |
File System Activity | File creation, modification, and access events | Track file access patterns |
Email Activity | Email send, receive, and scan events | Monitor email volume and threats |
Event Log Activity | Windows Event Logs and syslog entries | Track system event patterns |
Display Types
Display | Best For | Description |
Line Chart | Identifying trends over time | Renders as an area chart with a filled region beneath the line. Ideal for seeing gradual rises, sudden spikes, or steady patterns. Hover over any point to see the exact value at that moment. |
Bar Chart | Comparing discrete time intervals | Renders as a column chart with one bar per time bucket. Useful for comparing day-over-day or hour-over-hour volumes — each bar represents a distinct time period. |
Aggregation
By default, the Field Graph counts the number of matching records in each time bucket. For more advanced analysis, you can aggregate a numeric field instead.
Aggregation Method
Method | What It Does | Example Use Case |
Count | Counts matching records. This is the default and most common method. | "How many authentication events occurred each hour?" |
Min | Finds the minimum value of the Aggregation Field in each time bucket. | "What was the smallest file transferred each day?" |
Max | Finds the maximum value of the Aggregation Field in each time bucket. | "What was the peak network packet size each hour?" |
Average | Calculates the mean value of the Aggregation Field in each time bucket. | "What is the average HTTP response time over time?" |
Aggregation Field
When using Min, Max, or Average, you must specify which numeric field to aggregate. Enter the field name using OCSF dotted notation — for example, traffic.bytes for byte counts, duration for event duration, or severity_id for severity levels.
Tip: For the most common use case — counting how many events occurred over time — leave Aggregation Method as Count and Aggregation Field empty. Only change these when you need to analyze a specific numeric dimension of your data.
Query Syntax
The Query field accepts DataBee's search query syntax to filter which records are included. If left blank, all records in the selected table within the time range are included.
Basic Syntax
Queries follow the format: field_name operator value
Supported Operators
Operator | Description | Example |
in | Field value matches the specified value(s). Use parentheses for multiple values. | severity_id in (4,5,6) |
notin | Field value does NOT match the specified value(s). | status_id notin (0,99) |
contains | Field value contains the specified substring. | message contains ransomware |
between | Field value falls between two values (inclusive). Separate with comma. | traffic.bytes between 1000,50000 |
Combining Conditions
Use "and" to combine multiple conditions. For example: severity_id in (4,5) and metadata.product.name in CrowdStrike
Nested Field Paths
Access nested fields using dot notation. Common paths include:
Path | Description |
metadata.product.name | The security product that generated the event (e.g., CrowdStrike, Qualys) |
src_endpoint.ip | Source IP address |
dst_endpoint.ip | Destination IP address |
device.name | Device hostname |
user.name | Username |
finding.severity | Finding severity level |
Note: The widget's Time Range setting automatically filters by time — you do not need to include time filters in the Query field.
Query Examples for Field Graph
Scenario | Query |
Only events from CrowdStrike | metadata.product.name in CrowdStrike |
Exclude low-severity events | severity_id notin (0,1,2) |
Only high and critical findings | severity_id in (4,5) |
Events from a specific source IP | src_endpoint.ip in 10.0.0.1 |
Events containing a specific keyword | message contains unauthorized access |
Combined: high severity from specific product | severity_id in (4,5) and metadata.product.name in CrowdStrike |
Interactive Features
- Hover over any point on the chart to see the exact count and timestamp in a tooltip.
- Use the hamburger menu (three lines) on the chart to access additional chart options.