Field Value Count Widget
The Field Value Count widget shows how values are distributed for a selected field in an OCSF activity table. Choose from horizontal bar charts, vertical bar charts, or pie charts to visualize the breakdown. This widget answers questions like 'What percentage of vulnerability findings are Critical vs Medium?' or 'How many authentication events succeeded vs failed this week?'
Configuration
Click + Add Widget, select Field Value Count, and click Next.
Field | Required | Description | Default |
Widget Name | Yes | A title (e.g., 'Vulnerability Findings by Severity'). | — |
Activity | Yes | The OCSF activity table to query. Start typing to filter. | — |
Field Name | Yes | The categorical field to summarize. Type to filter, or use dotted notation for nested fields (e.g., finding.severity). | — |
Time Range | No | Period to display. | Use Global |
Query | No | A DataBee search query to filter records. | Empty |
Display | No | Chart type: Horizontal, Vertical, or Pie. | Horizontal |
Sort Direction | No | Order of values in the chart. | Higher Count First |
Choosing a Field Name
The Field Name determines what values appear in your chart. Choose a field with a manageable number of distinct values — fields with 3-10 unique values produce the clearest visualizations.
Field | Found In | Typical Values |
Severity | Vulnerability Finding, Detection Finding | Fatal, Critical, High, Medium, Low |
Severity ID | All finding tables | Numeric levels 0-6 (auto-colored: green→red) |
Status | Authentication | Success, Failure, Unknown, Other |
Activity Name | Most activity tables | Create, Read, Update, Delete, Close |
Type Name | All tables | Event type classification |
Disposition | Security Finding | How the finding was handled |
Category Name | Detection Finding | Detection rule categories |
Note: Fields ending in _id (like severity_id, status_id, confidence_id) automatically receive color coding — green for low values, yellow for medium, red for high. This makes severity and status distributions immediately readable.
Display Types
Type | Best For | Description |
Horizontal | Comparing proportions (3-10 values) | Horizontal bars with labels on the left and counts on the right. Each bar includes a percentage-of-total indicator. 'Total' count appears at the top. This is the default and most common choice. |
Vertical | Compact display | Values stacked vertically with counts. Similar to Horizontal but in a more compact layout. |
Pie | Part-of-whole analysis (2-6 values) | Interactive pie chart with colored slices and percentage labels. Hover over a slice to see the exact count. Best when you have a small number of distinct values. |
Sort Direction
Option | Effect |
Show Higher Count Values First | Most frequent values appear at top (bar) or as largest slices (pie). This is the default. |
Show Lower Count Values First | Least frequent values appear first. Useful for highlighting rare events or anomalies. |
Note: An 'Other' category may appear at the bottom, grouping infrequent values. This category always appears last regardless of sort direction.
Query Syntax
The Query field accepts DataBee's search query syntax to filter which records are included. If left blank, all records in the selected table within the time range are included.
Basic Syntax
Queries follow the format: field_name operator value
Supported Operators
Operator | Description | Example |
in | Field value matches the specified value(s). Use parentheses for multiple values. | severity_id in (4,5,6) |
notin | Field value does NOT match the specified value(s). | status_id notin (0,99) |
contains | Field value contains the specified substring. | message contains ransomware |
between | Field value falls between two values (inclusive). Separate with comma. | traffic.bytes between 1000,50000 |
Combining Conditions
Use "and" to combine multiple conditions. For example: severity_id in (4,5) and metadata.product.name in CrowdStrike
Nested Field Paths
Access nested fields using dot notation. Common paths include:
Path | Description |
metadata.product.name | The security product that generated the event (e.g., CrowdStrike, Qualys) |
src_endpoint.ip | Source IP address |
dst_endpoint.ip | Destination IP address |
device.name | Device hostname |
user.name | Username |
finding.severity | Finding severity level |
Note: The widget's Time Range setting automatically filters by time — you do not need to include time filters in the Query field.
Query Examples for Field Value Count
Scenario | Query |
Only vulnerabilities from Qualys | metadata.product.name in Qualys |
Exclude informational findings | severity_id notin (0,1) |
Only failed authentication attempts | status_id in (2) |
Events from a specific device | device.name in web-server-01 |
Only high-risk vulnerabilities | severity_id in (4,5,6) |
Interactive Features
- Click on any bar or pie slice to pivot to Search, filtered to that specific value.
- Hover over chart elements to see exact counts and percentages in a tooltip.