Field Value Distribution Widget
The Field Value Distribution widget shows how values for a field change over time using a stacked bar chart. Unlike the Field Value Count widget (which shows a single snapshot), this widget reveals temporal patterns — helping you spot shifts like authentication failures increasing overnight, severity levels changing after a patch deployment, or a new event type appearing in your data.
Configuration
Click + Add Widget, select Field Value Distribution, and click Next.
Field | Required | Description | Default |
Widget Name | Yes | A title (e.g., 'Authentication Activity Distribution'). | — |
Activity | Yes | The OCSF activity table to query. | — |
Field Name | Yes | The categorical field to analyze. Choose a field with 2-8 distinct values for best readability. | — |
Time Range | No | Period to display. | Use Global |
Query | No | A DataBee search query to filter records. | Empty |
How It Differs from Field Value Count
Aspect | Field Value Count | Field Value Distribution |
Visualization | Single bar or pie chart | Stacked bar chart over time |
Time dimension | Totals for the entire time range | Broken into time intervals |
Best for | "What is the current breakdown?" | "How has the breakdown changed over time?" |
Example insight | "70% Success, 30% Failure" | "Success was steady but Failure spiked Tuesday night" |
Choosing a Field Name
Choose fields with a small number of distinct values (2-8 is ideal):
Field | Table | Typical Values |
Status | Authentication | Success, Failure, Unknown, Other |
Severity | Detection Finding | Low, Medium, High, Critical, Fatal |
Activity Name | Any activity table | Create, Update, Delete, Close |
Disposition | Security Finding | How findings were handled |
Query Syntax
The Query field accepts DataBee's search query syntax to filter which records are included. If left blank, all records in the selected table within the time range are included.
Basic Syntax
Queries follow the format: field_name operator value
Supported Operators
Operator | Description | Example |
in | Field value matches the specified value(s). Use parentheses for multiple values. | severity_id in (4,5,6) |
notin | Field value does NOT match the specified value(s). | status_id notin (0,99) |
contains | Field value contains the specified substring. | message contains ransomware |
between | Field value falls between two values (inclusive). Separate with comma. | traffic.bytes between 1000,50000 |
Combining Conditions
Use "and" to combine multiple conditions. For example: severity_id in (4,5) and metadata.product.name in CrowdStrike
Nested Field Paths
Access nested fields using dot notation. Common paths include:
Path | Description |
metadata.product.name | The security product that generated the event (e.g., CrowdStrike, Qualys) |
src_endpoint.ip | Source IP address |
dst_endpoint.ip | Destination IP address |
device.name | Device hostname |
user.name | Username |
finding.severity | Finding severity level |
Note: The widget's Time Range setting automatically filters by time — you do not need to include time filters in the Query field.
Query Examples for Field Value Distribution
Scenario | Query |
Only from Azure AD | metadata.product.name in AzureAD |
Exclude service accounts | user.name notin (svc_account,system) |
Only interactive logins | type_name in (Authentication: Logon) |
From a specific subnet | src_endpoint.ip in 10.0.1.* |
Interactive Features
- Click on any bar segment to pivot to Search, filtered to that value and time interval.
- Use the legend to toggle individual values on or off.
- Hover over segments to see exact counts.