Visualizations

The Visualize tab opens a page where you can select one or more existing visualizations of the data in your Elasticsearch indexes; you can also create a new visualization from this page. You can then build dashboards that display related visualizations.

Visualizations can also be created directly on a dashboard by selecting Edit > Add.

Siren Investigate visualizations are based on Elasticsearch queries. By using a series of Elasticsearch aggregations to extract and process your data, you can create charts that show you the trends, spikes, and dips that you need to know about.

You can create visualizations from a search saved from Discover, or start with a new search query.

Creating a visualization

  1. Click Visualize in the side navigation.

  2. Click Create new visualization or the + button.

  3. Choose the visualization type. For more information, see Visualization types.

  4. Specify a search query to retrieve the data for your visualization:

    • To enter new search criteria, select the index pattern for the indices that contain the data you want to visualize. This opens the visualization builder with a wildcard query that matches all the documents in the selected indices.

    • To build a visualization from a saved search, click the name of the saved search you want to use. This opens the visualization builder and loads the selected query.

      When you build a visualization from a saved search, any subsequent modifications to the saved search are automatically reflected in the visualization. To switch off automatic updates, you can disconnect a visualization from the saved search.
  5. In the visualization builder, choose the aggregation for the visualization’s y-axis. For more information, see Y-axis aggregations.

  6. For the visualizations x-axis, select a bucket aggregation. For more information, see X-axis aggregations.

For example, if you are indexing Apache server logs, you could build a horizontal bar chart that shows the distribution of incoming requests by geographic location by specifying a term’s aggregation on the geo.src field:

image

The y-axis shows the number of requests received from each country, and the countries are displayed across the x-axis.

Bar, line, or area chart visualizations use metrics for the y-axis and buckets for the x-axis. Buckets are analogous to SQL GROUP BY statements. Pie charts, use the metric for the slice size and the bucket for the number of slices.

You can further break down the data by specifying sub aggregations. The first aggregation determines the data set for any subsequent aggregations. Sub aggregations are applied in order—you can drag the aggregations to change the order in which they are applied.

For example, you could add a terms sub aggregation on the geo.dest field to a vertical bar chart to see the locations those requests were targeting.

image

For more information about working with sub aggregations, see Kibana, Aggregation Execution Order, and You.

Visualization types

Table 1. Charts

Line, area, and bar charts

Compare different series in X/Y charts.

Box Plot

Display data in an x/y chart using upper and lower percentiles.

Bubble Diagram

Show data and parent/child relationships as bubbles.

Goal and Gauge

Display a gauge.

Heatmap Chart

Shade cells within a matrix.

Multichart

A visualization in which you can switch between other visualizations at will.

Parallel Lines Chart

Arranges several metrics on parallel columns.

Pie Chart

Display each source’s contribution to a total.

Radar Chart

A graphical method of displaying multivariate data in the form of a two-dimensional chart of three or more quantitative variables represented on axes starting from the same point.

Table 2. Textual

Analytic Table

Display the raw data of a composed aggregation.

Markdown Widget

Display free-form information or instructions.

Metric

Display a single number.

Query Viewer

Display the results from multiple queries on external datasources using query templates.

Tag Cloud

Display words as a cloud in which the size of the word correspond to its importance.

Topic Clustering

Perform significance and clustering analysis on full-text fields.

Table 3. Maps

Coordinate Map

Associate the results of an aggregation with geographic locations.

Enhanced Coordinate Map

Associate the results of an aggregation with geographic locations.

Region Map

Thematic maps where a shape’s color intensity corresponds to a metric’s value.

Table 4. Showing individual records

Graph Browser

Display Elasticsearch documents as nodes and Siren Investigate relations as links of a graph. Note: The Graph Browser is a very powerful visualization and is described in a separate section of the documentation.

Record Table Visualization

Show the documents matched by a query on an Elasticsearch index with enhanced features.

Scatter Plot

Show data in an x/y graph as scattered points.

Table 5. Time series

Timelion

Compute and combine data from multiple time series data sets.

Time Series Visual Builder

Visualize time series data using pipeline aggregations.

Timeline

Visualize events in chronological order.

Table 6. Interactive filters and relational navigation

Controls

Create interactive controls for easy dashboard manipulation.

Relational Filter

(Deprecated) Configure the relational buttons to navigate between dashboards.

Relational Navigator

Provide navigation between relationally connected dashboards.

Y-axis aggregations

Metric aggregations

Count

The count aggregation returns a raw count of the elements in the selected index pattern.

Average

This aggregation returns the average of a numeric field. Select a field from the box.

Sum

The sum aggregation returns the total sum of a numeric field. Select a field from the box.

Min

The min aggregation returns the minimum value of a numeric field. Select a field from the box.

Max

The max aggregation returns the maximum value of a numeric field. Select a field from the box.

Standard Deviation

The extended stats aggregation returns the standard deviation of data in a numeric field. Select a field from the box.

Unique Count

The cardinality aggregation returns the number of unique values in a field. Select a field from the box.

Median

The Median (50th percentile) aggregation.

Percentiles

The percentile aggregation divides the values in a numeric field into percentile bands that you specify. Select a field from the box, then specify one or more ranges in the Percentiles fields. Click the X to remove a percentile field. Click + Add to add a percentile field.

Percentile Rank

The percentile ranks aggregation returns the percentile rankings for the values in the numeric field you specify. Select a numeric field from the box, then specify one or more percentile rank values in the Values fields. Click the X to remove a values field. Click +Add to add a values field.

Top Hit

The Top hit aggregation.

Geo Centroid

The Geo centroid aggregation.

Parent pipeline aggregations

For each of the parent pipeline aggregations you have to define the metric for which the aggregation is calculated. That could be one of your existing metrics or a new one. You can also nest these aggregations, for example to produce a third derivative.

Derivative

The derivative aggregation calculates the derivative of specific metrics.

Cumulative Sum

The cumulative sum aggregation calculates the cumulative sum of a specified metric in a parent histogram

Moving Average

The moving average aggregation will slide a window across the data and show the average value of that window

Serial Diff

The serial differencing is a technique where values in a time series are subtracted from itself at different time lags or period

Sibling pipeline aggregations

Just like with parent pipeline aggregations you need to provide a metric for which to calculate the sibling aggregation. On top of that you also need to provide a bucket aggregation which will define the buckets on which the sibling aggregation will run

Average Bucket

The avg bucket calculates the (mean) average value of a specified metric in a sibling aggregation

Sum Bucket

The sum bucket calculates the sum of values of a specified metric in a sibling aggregation

Min Bucket

The min bucket calculates the minimum value of a specified metric in a sibling aggregation

Max Bucket

The max bucket calculates the maximum value of a specified metric in a sibling aggregation

X-axis aggregations

Date Histogram

A date histogram is built from a numeric field and organized by date. You can specify a time frame for the intervals in seconds, minutes, hours, days, weeks, months, or years. You can also specify a custom interval frame by selecting Custom as the interval and specifying a number and a time unit in the text field. Custom interval time units are s for seconds, m for minutes, h for hours, d for days, w for weeks, and y for years. Different units support different levels of precision, down to one second. Intervals are labeled at the start of the interval, using the date-key returned by Elasticsearch. For example, the tool tip for a monthly interval will show the first day of the month.

Histogram

A standard histogram is built from a numeric field. Specify an integer interval for this field. Select the Show empty buckets check box to include empty intervals in the histogram.

Range

With a range aggregation, you can specify ranges of values for a numeric field. Click Add Range to add a set of range endpoints. Click the red (x) symbol to remove a range.

Date Range

A date range aggregation reports values that are within a range of dates that you specify. You can specify the ranges for the dates using date math expressions. Click Add Range to add a set of range endpoints. Click the red (/) symbol to remove a range.

IPv4 Range

The IPv4 range aggregation enables you to specify ranges of IPv4 addresses. Click Add Range to add a set of range endpoints. Click the red (/) symbol to remove a range.

Terms

A terms aggregation enables you to specify the top or bottom n elements of a given field to display, ordered by count or a custom metric.

Filters

You can specify a set of filters for the data. You can specify a filter as a query string or in JSON format, just as in the Discover search bar. Click Add Filter to add another filter. Click Label (image: 15d88cecb57c46.png[image]) to open the label field, where you can type in a name to display on the visualization.

Significant Terms

Displays the results of the experimental significant terms aggregation. The value of the Size parameter defines the number of entries this aggregation returns.

Geohash

The geohash aggregation displays points based on the geohash coordinates.

External query terms filter

A Siren Investigate aggregator where one can define one or more buckets based on some record value (typically a primary key) matching the results of an external query. Multiple such buckets, corresponding to multiple queries, can be defined. For more information see the query menu in the configuration. This displays the results of the external query terms filter aggregation.

Customizing aggregations

Enter a string in the Custom Label field to change the display label.

You can customize the colors of your visualization by clicking the color dot next to each label to display the color picker.

An array of color dots that users can select

Enter a string in the Custom Label field to change the display label.

You can click the Advanced link to display more customization options for your metrics or bucket aggregation:

Exclude Pattern

Specify a pattern in this field to exclude from the results.

Include Pattern

Specify a pattern in this field to include in the results.

JSON Input

A text field where you can add specific JSON-formatted properties to merge with the aggregation definition, as in the following example:

{"script" : "doc['grade'].value * 1.2"}
In Elasticsearch releases 1.4.3 and later, this functionality requires you to enable dynamic Groovy scripting.

The availability of these options varies depending on the aggregation you choose.

Visualization Spy

To display the raw data behind the visualization, click Spy Open (image) in the bottom left corner of the container. The visualization spy panel will open.

Use the select input (highlighted) to view detailed information about the raw data.

Spy panel.

Table

A representation of the underlying data, presented as a paginated data grid. You can sort the items in the table by clicking the table headers at the top of each column.

Request

The raw request used to query the server, presented in JSON format.

Response

The raw response from the server, presented in JSON format.

Statistics

A summary of the statistics related to the request and the response, presented as a data grid. The data grid includes the query duration, the request duration, the total number of records found on the server, and the index pattern used to make the query.

Debug

The visualization saved state presented in JSON format.

To export the raw data behind the visualization as a comma-separated-values (CSV) file, click either the Raw or Formatted links at the bottom of the detailed information tabs. A raw export contains the data as it is stored in Elasticsearch. A formatted export contains the results of any applicable field formatters.

Record Table visualization

Record Table is a visualization that shows the documents matched by a query on an Elasticsearch index, similar to the stock Discover table.

In addition to column configuration, the visualization provides the following features:

  • To hide the time column, which represents a time field of the Elasticsearch index, select the Hide time column check box.

  • You can set a page size which is a count of rows displayed each page. To enable top pagination, select the Show top paginator check box.

  • To use aliases in place of the column names in the data, select the Customize columns check box.

  • You can enable a column that indicates whether a search result is matched by a query on an external datasource.

  • You can define click handlers on the cells in a column, for example to open the URL displayed in a cell.

  • To create filters from table rows, select the Enable row filters check box.

image

Customize columns

It is possible to create an alias and set a minimum width for each column.

To enable renaming columns, select the Customize columns check box.

image

To configure the names of columns, you can set these parameters:

  • Alias (required): The column alias that is displayed as a column name.

  • Min width (optional): The minimum width of the column.

Search engine look

In a search engine, records are typically not shown before a query is entered. Selecting Search engine look replicates this behavior in the Record Table visualization.

image

When this option is selected, the visualization displays a message Enter a query, a filter or change the time to start searching on XXX records, where XXX is the number of records available to search.

Relational column

The relational column can be used to display if a search result is matched by a query on an external datasource.

To enable the relational column, select the Enable Relational Column check box.

The following image shows the configuration of a relational column named Why Relevant? where the value of a cell depends on the query Top 50 companies (HR count): if the value of the label index field of a document matches the value of the label variable in at least one record returned by the query, the name of the query will be displayed inside the cell.

image

image

To configure the relational column, you must set these parameters:

  • Column name: the column name that will be displayed in the table header.

  • Source Field: the name of the index field that will be compared to a variable in the query results.

  • Target query: the name of the query to execute.

  • Target query variable name: the name of the query variable that will be compared to the index field specified in Source field.

Click handlers

It is possible to define two different actions when clicking a cell:

  • Open a URL defined in the corresponding index field.

  • Select an entity in an external datasource matching the corresponding index field.

Follow URL

Select the Follow URL action to open a URL stored in an index field in a new window.

For example, the following configuration defines a handler that opens the URL stored in the field homepage_url when clicking the cell displaying the label field.

image

To configure a click handler, you must set the following parameters:

  • Column: The name of the column to which the handler will be bound.

  • On click I want to: The action to perform on click. Select Follow the URL here.

  • URL field: The name of the field containing the URL.

  • URL format: A custom format string to compose the URL, where @URL@ is replaced with the value of the field set in URL field.

URL format can be used to create a dynamic URL. The following image shows a configuration in which the value of the id field is used to define the path of a URL on example.org.

With this configuration, if the id field is set to 11 the resulting URL will be http://example.org/11.

image

Select an entity

Select the Select an entity action if you want to select an entity stored in an external datasource matching the selected Elasticsearch document; for more information about entity selection, see .

To configure an entity selection action you must set the following parameters:

  • Column: The name of the column to which the handler will be bound.

  • On click I want to: The action to perform on click. Select Select the document here.

  • Redirect to dashboard: If set, clicking the cell selects the entity and displays the specified dashboard.

image

Row filters

It is possible to create filters from table rows.

To enable the row filters, select the Enable row filters check box.

image

Then, select rows which you wanted to create filters from and click Create Filter.

image

CSV/JSON Export

If you would like to export the documents matched by a query on an Elasticsearch index, press the 'Export' link at the bottom of the enhanced search results visualization.

image

This will display a dialog box with several options.

image

The basic options allow you to choose between CSV (Comma-separated values) and JSON export formats.

Clicking Export in the dialog will begin exporting all the documents matching a query on an Elasticsearch index in the format you have chosen.

For more control over what gets exported, click Additional settings to list some more advanced options.

By default, all fields of an index will be exported. To limit the export to a specific set of fields, click the arrow next to 'Fields'. This will display a list of all the fields in the index we’re exporting from. Simply select the checkbox next to the name of the fields you want to export.

image

The next option is to limit the number of documents to export. By default all documents matching a query on an Elasticsearch index will be exported, but this can be limited to a specific number by entering it in the 'Limit' input box.

image

When the 'Export' link at the bottom of the enhanced search results visualization is pressed, the time filter is frozen to the range of time as it is when the link is pressed. This can be refreshed by pressing the refresh icon.

Finally, when exporting as CSV, you have the option of applying field formatters to fields where they are defined. Simply press 'Yes' next to the 'Formatted' option.

image

Exporting Dashboard Visualizations

Dashboard visualizations can be exported as images or as a PDF document.

To take a snapshot of the dashboard as a PDF or to get a single visualization as an image, first click on the 'Export' button to display the export panel.

image

PDF snapshot or printing

Saving a PDF snapshot or printing is available from the export panel. Additional options are available, such as 'Include dashboard query in output' or 'Include non-graphic panels in output (e.g. tables, controls)' to include useful information when you want to create a PDF document and download it (Download as PDF) or open in a new window for printing (Print).

Note: Panels without results or panels opened in spy mode will not be included in the document.

PNG capture of visualization

image

To export a single visualization as an image, click on the camera button seen on dashboard visualizations (the button is available while the export panel is open).

The exported visualization will be saved as a PNG image.

Panels without results or panels opened in spy mode will not be available for capturing.

Avoiding issues with nginx

Some settings for nginx can interfere with the functionality of the export feature, namely the proxy_buffering directive.

To avoid any potential issues, we recommend disabling the proxy_buffering directive in your nginx configuration.

Example nginx configuration, where Siren Investigate is running behind the proxy on basePath = BASE_PATH:

location /BASE_PATH/export {
    proxy_buffering off; <---- Here is the important bit
    auth_basic                  "Restricted";
    auth_basic_user_file        /etc/nginx/passwords_enterprise;
    rewrite /kibi/(.*) /$1 break;
    proxy_pass http://127.0.0.1:15013/;
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection 'upgrade';
    proxy_set_header Host $host;
    proxy_cache_bypass $http_upgrade;
    client_max_body_size 100M;
}

location /BASE_PATH {
    auth_basic                  "Restricted";
    auth_basic_user_file        /etc/nginx/passwords_enterprise;
    rewrite /kibi/(.*) /$1 break;
    proxy_pass http://127.0.0.1:15013/;
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection 'upgrade';
    proxy_set_header Host $host;
    proxy_cache_bypass $http_upgrade;
    client_max_body_size 100M;
}

Multichart

This visualization displays a multiple types of chart according to the current selection of multiple configurations.

Multichart

Multichart is not a type of chart by itself. It can contain a set of other charts, such as a pie chart. It enables you to switch to other types of chart with the same aggregations.

Multi configurations

Multi configurations

Visualize settings

Visualize settings

New configuration

After changing the aggregation settings and setting the desired type of chart, you can click Add this configuration to save the configuration as a separate one.

New configuration

Multichart enables you to show or hide certain features. To toggle visibility, click:

  • Show type selector: The button bar for the chart type selection.

  • Show dropdown menu: The box for the aggregation configuration selection.

  • Show menu navigation buttons: The navigation buttons around the box.

Input controls

When the priority is to immediately see the most important metadata fields and quickly cycle through values, input controls provide a useful alternative to multichart.

They enable you to quickly select the top values (with either single value, or multi-value “tags” mode) as well as value ranges.

Because input controls do not inherit the current dashboard filters, they will always list all possible values.

Input controls

Analytic Table

For more information, see Y-axis aggregations.

The rows of the Analytic table are called buckets. You can define buckets to split the table into rows or to split the table into additional tables.

Each bucket type supports the following aggregations:

  • Data Histogram

  • Histogram

  • Range

  • Date Range

  • IPV4 Range

  • Terms

  • Filters

  • Significant Terms

  • Geohash

For more information, see X-axis aggregations.

After you have specified a bucket type aggregation, you can define sub-buckets to refine the visualization. Click + Add sub-buckets to define a sub-bucket, then choose Split Rows or Split Table, then select an aggregation from the list of types.

You can use the up or down arrows to the right of the aggregation’s type to change the aggregation’s priority.

You can customize your visualization. For more information, see Customizing aggregations.

Select the Options tab to change the following aspects of the table:

Per Page

This field controls the pagination of the table. The default value is ten rows per page.

Check boxes are available to toggle the following behaviors:

Show metrics for every bucket/level

Check this box to display the intermediate results for each bucket aggregation.

Show partial rows

Check this box to display a row even when there is no result.

Enabling these behaviors may have a substantial effect on performance.

Viewing detailed information

For information on displaying the raw data, see Visualization Spy.

Markdown Widget

The Markdown widget is a box that accepts Markdown text. Siren Investigate interprets the Markdown and displays the results on the dashboard. Click the Help link to go to the help page for GitHub style Markdown. Click Apply to display the rendered text in the Preview pane. Alternatively, click or Discard to revert to a previous version.

Metric

A metric visualization displays a single number for each aggregation you select.

For more information, see Y-axis aggregations.

You can customize your visualization. For more information, see Customizing aggregations.

Click the Options tab to display the font size slider.

Viewing detailed information

For information on displaying the raw data, see Visualization Spy.

Goal and Gauge

A goal visualization displays how your metric progresses toward a fixed goal. A gauge visualization displays in which predefined range falls your metric.

For more information, see Y-axis aggregations.

You can customize your visualization. For more information, see Customizing aggregations.

Click the Options tab to change the following options:

  • Gauge Type: Selects between arc, circle and metric display types.

  • Percentage Mode: Shows all values as percentages.

  • Vertical Split. Puts the gauges under each other instead of next to each other.

  • Show Labels: Shows or hides the labels.

  • Sub Text: Text for the label that appears below the value.

  • Auto Extend Range: Automatically grows the gauge if value is over its extents.

  • Ranges: You can add custom ranges. Each range is assigned a color. If a value falls within that range, it is assigned that color. A chart with a single range is called a goal chart. A chart with multiple ranges is called a gauge chart.

  • Color Options: Define how to color your ranges (which color schema to use). Color options are visible only if more than one range is defined.

  • Style - Show Scale. Shows or hides the scale.

  • Style - Color Labels. Whether the labels should have the same color as the range the value falls in.

Pie Chart

The slice size of a pie chart is determined by the metrics aggregation. The following aggregations are available for this axis:

  • Count

  • Sum

  • Unique Count

For more information, see Y-axis aggregations.

Enter a string in the Custom Label field to change the display label.

The buckets aggregations determine what information is being retrieved from your data set.

Before you choose a buckets aggregation, specify if you are splitting slices within a single chart or splitting into multiple charts. A multiple chart split must run before any other aggregations. When you split a chart, you can change if the splits are displayed in a row or a column by clicking the Rows | Columns selector.

You can specify any of the following bucket aggregations for your pie chart:

  • Date Histogram

  • Histogram

  • Range

  • Date Range

  • IPV4 Range

  • Terms

  • Filters

  • Significant Terms

For more information, see X-axis aggregations.

After defining an initial bucket aggregation, you can define sub-buckets to refine the visualization. Click + Add sub-buckets to define a sub-aggregation, then choose Split Slices to select a sub-bucket from the list of types.

When multiple aggregations are defined on a chart’s axis, you can use the up or down arrows to the right of the aggregation’s type to change the aggregation’s priority.

You can customize your visualization. For more information, see Customizing aggregations.

Select the Options tab to change the following aspects of the table:

Donut

Display the chart as a sliced ring instead of a sliced pie.

Show Tooltip

Check this box to enable the display of tooltips.

After changing options, click Apply changes to update your visualization, or Discard changes to keep your visualization in its current state.

Viewing detailed information

For information on displaying the raw data, see Visualization Spy.

Coordinate Map

A Coordinate Map visualization displays a geographic area overlaid with circles keyed to the data determined by the buckets you specify.

By default, Siren Investigate uses a demonstration Siren tilemap server Open Street Maps service to display map tiles. This server has limited features and you should update the tilemap settings to another tilemap provider that you have configured, especially in a production setting. To use other tile service providers, configure the tilemap settings in investigate.yml.

Configuration

Configuring external tilemap providers

You can use existing free or paid tilemap providers or build and serve your own tilemap tiles.

After you have setup your own tilemap provider, configure these settings in investigate.yml to have map visualizations render these tiles.

For example, to use an OpenStreetMap default provider, the configuration YAML settings would look like:

tilemap:
  url: 'https://{s}.tile.openstreetmap.org/{z}/{x}/{y}.png'
  options:
    attribution: '&copy; [OpenStreetMap]("http://www.openstreetmap.org/copyright")'
    subdomains:
      - a

The Data Tab

Metrics

The default metrics aggregation for a coordinate map is the Count aggregation. You can select any of the following aggregations as the metrics aggregation:

  • Count

  • Average

  • Sum

  • Min

  • Max

  • Unique Count

For more information, see Y-axis aggregations.

Enter a string in the Custom Label field to change the display label.

Buckets

Coordinate maps use the geohash aggregation. Select a field, typically coordinates, from the box.

  • The Change precision on map zoom check box is selected by default. Clear the check box to switch off this behavior. The Precision slider determines the granularity of the results displayed on the map. See the documentation for the geohash grid aggregation for details on the area specified by each precision level.

Higher precision increases memory usage for the browser displaying Siren Investigate as well as for the underlying Elasticsearch cluster.
  • The place markers off grid (use geocentroid) box is checked by default. When this box is checked, the markers are placed in the center of all the documents in that bucket. When cleared, the markers are placed in the center of the geohash grid cell. Leaving this checked generally results in a more accurate visualization.

You can customize your visualization. For more information, see Customizing aggregations.

Options

Map type

Select one of the following options from the box.

Scaled Circle Markers

Scale the size of the markers based on the metric aggregation’s value.

Shaded Circle Markers

Displays the markers with different shades based on the metric aggregation’s value.

Shaded Geohash Grid

Displays the rectangular cells of the geohash grid instead of circular markers, with different shades based on the metric aggregation’s value.

Heatmap

A heat map applies blurring to the circle markers and applies shading based on the amount of overlap. Heatmaps have the following options: +

  • Radius: Sets the size of the individual heatmap dots.

  • Blur: Sets the amount of blurring for the heatmap dots.

  • Maximum zoom: Tilemaps in Siren Investigate support 18 zoom levels. This slider defines the maximum zoom level at which the heatmap dots appear at full intensity.

  • Minimum opacity: Sets the opacity cutoff for the dots.

  • Show Tooltip: Check this box to have a tooltip with the values for a given dot when the cursor is on that dot.

Desaturate map tiles

Desaturates the map’s color to make the markers stand out more clearly.

WMS compliant map server

Check this box to enable the use of a third-party mapping service that complies with the Web Map Service (WMS) standard. Specify the following elements: +

  • WMS url: The URL for the WMS map service.

  • WMS layers: A comma-separated list of the layers to use in this visualization. Each map server provides its own list of layers.

  • WMS version: The WMS version used by this map service.

  • WMS format: The image format used by this map service. The two most common formats are image/png and image/jpeg.

  • WMS attribution: An optional, user-defined string that identifies the map source. Maps display the attribution string in the lower right corner.

  • WMS styles: A comma-separated list of the styles to use in this visualization. Each map server provides its own styling options.

After changing options, click Apply changes to update your visualization, or Discard changes to keep your visualization in its current state.

If you need to display custom layers for the Coordinate Map visualization, a geospatial server may provide the solution. See Getting started with GeoServer.

Navigating the map

After your tilemap visualization is ready, you can explore the map in several ways:

  • Click and hold anywhere on the map and move the cursor to move the map center. Hold Shift and drag a bounding box across the map to zoom in on the selection.

  • Click Zoom In/Out (image) to change the zoom level manually.

  • Click Fit Data Bounds (image) to automatically crop the map boundaries to the geohash buckets that have at least one result.

  • Click Latitude/Longitude Filter (image), then drag a bounding box across the map, to create a filter for the box coordinates.

Viewing detailed information

For information on displaying the raw data, see Visualization Spy.

Enhanced Coordinate Map

The Enhanced Coordinate Map visualization (beta) displays a geographic area overlaid with circles keyed to the data determined by the buckets you specify.

By default, Siren Investigate uses a demonstration Siren tilemap server Open Street Maps service to display map tiles. This server has limited features and you should update the tilemap settings to another tilemap provider that you have configured, especially in a production setting. To use other tile service providers, configure the tilemap settings in investigate.yml.

Configuration

Configuring external tilemap providers

You can use existing free or paid tilemap providers or build and serve your own tilemap tiles.

After you have setup your own tilemap provider, configure these settings in investigate.yml to have map visualizations render these tiles.

For example, to use an OpenStreetMap default provider, the configuration YAML settings would look like:

tilemap:
  url: 'https://{s}.tile.openstreetmap.org/{z}/{x}/{y}.png'
  options:
    attribution: '&copy; [OpenStreetMap]("http://www.openstreetmap.org/copyright")'
    subdomains:
      - a

The Data Tab

Metrics

The default metrics aggregation for a coordinate map is the Count aggregation. You can select any of the following aggregations as the metrics aggregation:

  • Count (total number of documents present in the aggregation)

  • Average

  • Sum

  • Min

  • Max

  • Unique Count (total number of unique values present in the specified field within the aggregation)

When you select any of the above aggregations except Count, a Field dropdown is displayed from which you can select a field that is valid for the selected aggregation).

For more information, see Y-axis aggregations.

Enter a string in the Custom Label field to change the display label.

Clicking Advanced opens a field where you can enter a viable JSON input that acts on the field selected for the metrics aggregation. For example, the following JSON multiplies the number of employees by 1,000:

{"script" : "doc['number_of_employees'].value * 1000"}

Buckets

Coordinate maps use the geohash aggregation. Select a field, typically coordinates, from the box.

  • The Change precision on map zoom check box is selected by default. Clear the check box to switch off this behavior. The Precision slider determines the granularity of the results displayed on the map. See the documentation for the geohash grid aggregation for details on the area specified by each precision level.

Higher precision increases memory usage for the browser displaying Siren Investigate as well as for the underlying Elasticsearch cluster.
  • The place markers off grid (use geocentroid) box is checked by default. When this box is checked, the markers are placed in the center of all the documents in that bucket. When cleared, the markers are placed in the center of the geohash grid cell. Leaving this checked generally results in a more accurate visualization.

You can customize your visualization. For more information, see Customizing aggregations.

The Options Tab

Map Collar Scale

A scaling factor for selecting which documents to use for the aggregation. A setting of 1 will select documents within the map extent, 2 will select documents within 2 times the size of the map extent, while a value of 0.9 will scale the selection to be 0.9 times the size of the map extent. The purpose of this feature is to avoid excessive fetches to Elasticsearch or slower performance due to too many results being fetched.

Map type

Select one of the following options from the box.

  • Scaled Circle Markers - Scale the size of the markers based on the metric aggregation’s value.

  • Shaded Circle Marker - Displays the markers with different shades based on the metric aggregation’s value.

  • Shaded Geohash Grid - Displays the rectangular cells of the geohash grid instead of circular markers, with different shades based on the metric aggregation’s value.

  • Heatmap - A heat map applies blurring to the circle markers and applies shading based on the amount of overlap. Heatmaps have the following options:

    • Radius: Sets the size of the individual heatmap dots.

    • Blur: Sets the amount of blurring for the heatmap dots.

    • Maximum zoom: Tilemaps in Siren Investigate support 18 zoom levels. This slider defines the maximum zoom level at which the heatmap dots appear at full intensity.

    • Minimum opacity: Sets the opacity cutoff for the dots.

    • Show Tooltip: Check this box to have a tooltip with the values for a given dot when the cursor is on that dot.

Tooltip Formatter

Select from the following options:

  • Metric Value - A tooltip containing the coordinates and the metric value specified on the Data tab

  • Visualization - The option to add a Visualization as a tooltip. The contents of the visualization will be an aggregation based on the aggregation the tool tip is being applied to.

Close tooltip on mouseout

When mouse is hovered over aggregation a tooltip will appear. When the mouse is moved away from aggregation, the tool tip will disappear if this box is ticked; it will remain if unticked.

Legend Scale

Configuration settings for how the aggregation is displayed on legend +

  • Dynamic - Linear - Each class in the legend has the same size (e.g. values from 0 to 16 and 4 classes, each class has a size of 4)

  • Dynamic - Uneven - Each class will have the same number of documents inside, useful when data is unevenly distributed between the maximum and minimum ranges

  • Static - Manual specification of colors, values and number of classes for the legend scale

Scroll Wheel Zoom

When ticked, it is possible to use the mouse scroll wheel to toggle map zoom level. (+ and - work toggle zoom regardless of this)

Desaturate map tiles

Desaturates the map’s color to make the markers stand out more clearly.

Synchronize map

Synchronize the map canvas of this visualization with all other visualizations present on a dashboard that also have this option selected

Auto-fit map to data

Automatic zoom to include all Aggregations when filters are altered. This includes time filter. Disabled when panning or zooming.

WMS compliant map server

Check this box to enable the use of a third-party mapping service that complies with the Web Map Service (WMS) standard. Specify the following elements: +

  • WMS url: The URL for the WMS map service.

  • WMS layers: A comma-separated list of the layers to use in this visualization. Each map server provides its own list of layers.

  • WMS version: The WMS version used by this map service.

  • WMS format: The image format used by this map service. The two most common formats are image/png and image/jpeg.

  • WMS attribution: An optional, user-defined string that identifies the map source. Maps display the attribution string in the lower right corner.

  • WMS styles: A comma-separated list of the styles to use in this visualization. Each map server provides its own styling options.

If you need to display custom layers for the Region Map visualization, a geospatial server may provide the solution. See Getting started with GeoServer.
Point of Interest layers

Add any elasticsearch index with a geo_point or geo_shape field as a marker or polygons:

  • Geo_point type POI layers can be viewed and can include popups activated and deactivated on mouseover and mouseout.

  • Geo_shape type POI layers are suitable for viewing, popups and creating geo-filters which are applied to aggregations, other POI layers and other visualizations when on the dashboards (see Apply filters below).

    To render a geo_shape field on the map, it is required for an index to also have a geo_point field type

image

Configuration options for POI layers:

  • Saved Search - Select any elasticsearch index from the dropdown menu. Note - will need a geo point field

  • Geospatial Field -  Select a geo point field within the Saved Search

  • Styling

    • For geo_point - Set the set the size of the marker to appear for each document

    • For geo_shape - Set color in Hex value form

  • Popup Content - Selecting fields to appear on popup tooltip

  • Limit - The number of markers that are allowed to appear for this Point of Interest layer. The default is 100

  • Apply Filters - Whether or not to include filters from Selection tools or geo_shape type POI layers, a different visualization on the same Dashboard or filters from other Dashboards applied through relational Navigator

Drag and drop POI Layers

You can also create a POI Layer when in Dashboard view. Simply drag and drop a dashboard that has a main search with a geo_point field. If the main search has multiple spatial fields, a modal will appear prompting you to select one.

The filters from the other dashboard will be applied and can be viewed by hovering over the filter icon in the layer control. Drag and drop layers will not be saved and can be removed at any point by clicking the remove layer button in the layer control

image
image

Configuration options for the use of a third-party mapping service that complies with the Web Map Service standard. Multiple layers (or layer groups) can be loaded. Many third party mapping services are available, and some of these are described in Getting started with GeoServer.

  • Layer Name - A customizable label to appear in the map’s layer view (image)

  • Url - The URL for the WMS map service

  • WMS Layers - This is where layers (or layer groups) can be specified from a WMS server. There are two options:

    • If you have added a URL to a CORS-enabled WMS server - Investigate will internally run a WMS getCapabilities request and will populate a list of layers that can be added by clicking ①. These can be ordered, by clicking and dragging ② as below. The layer at the top of the list is drawn furthest in the background.

      image
    • If your URL is not a CORS-enabled WMS server - The UI will remain the same. You can order your layers, separated by a comma. The first layer you specify will be drawn the furthest in the background.

      image

      You can still see the available layers for the WMS by running a getCapabilities request. Below is an example from a local instance of Geoserver:

      http://localhost:8080/geoserver/wms?SERVICE=WMS&REQUEST=GetCapabilities

  • CQL Filter - Allows you to query your spatial layers as parameters in WMS requests

  • Min Zoom Level - The minimum zoom level that the WMS request will be visible

  • Max Features - The maximum number of features, up to a maximum of 10,000, to be rendered per tile from the specified layer(s). Note - Max features can be configured in the WMS, which overrides this setting

  • Styles - A comma-separated list of the styles for your layer. If you have access to the WMS server, you can assign defaults for these and it is possible for this field to be left blank. Otherwise, each map server provides its own styling options

  • Output Format - The image format to be returned by the WMS. The two most common formats are image/png and image/jpeg. Default is image/png

  • Non Tiled - The option to send the WMS request as one complete image to fit the map extent, or to send it in multiple tiles

  • Visible On Load - Check this option to draw the layer when the visualization is loaded. Note - this will be over ridden if a user saves their dashboard state

  • Elasticsearch WMS Options - Configuration options for WMS request

    • Aggregation - Allows for the customization of geohash request from WMS using elasticgeo. Example of aggregation WMS request using the company index in Siren’s classic demo (“location” has a Geo_Point field type): { "agg": { "geohash_grid": { "field": "location" } } }

    • Sync Filters - When ticked, the WMS response includes the filters made using Selection tools, visualizations in the same and visualizations from other dashboards.

image

This allows for point and polygon (including multipolygon) types to be rendered onto the the Enhanced Coordinate Map. Polygons can be clicked on for geo filter creation See image section above for description on Layer Name, Url and WFS Layers fields. For details on setting up a WFS server, see the Getting started with GeoServer guide. Additional fields specific for editing WFS layers:

  • Styling - Set color in Hex value form and specify the size of the marker to display on map

  • Output Format - The json format your spatial server is capable of responding with. This is geoJSON for ArcGis Server, and json for Geoserver

  • Popup Content - Create a comma separated list of fields (in the properties object of your geoJSON features) to appear on popup tooltip. Note, this is case-sensitive. For example City_name,Pop_est would add the city name and estimated population fields to each feature added to the map

After changing options, click Apply changes to update your visualization, or Discard changes to keep your visualization in its current state.

Navigating the map

After your tilemap visualization is ready, you can explore the map in several ways using various tools:

Panning the map

  • Click and drag anywhere on the map to move the map center

  • Hold Shift to drag a bounding box across the map to zoom in on a desired extent

  • Viewing extent

    • Click Zoom In/Out (image) to change the zoom level manually.

    • Click Fit Data Bounds (image) to automatically crop the map boundaries to the geohash buckets that have at least one result.

  • Click Set View Location (image) to manually specify:

    • Whether latitude and longitude are in decimal degrees (dd) or degrees/minutes/seconds (dms) ①

    • The latitude ② and longitude ③ of the centroid of the canvas you would like to display

    • The desired level of zoom ④

    • Whether changes are applied ⑤ or cancelled ⑥

image

Selection tools - used to create geo filters

  • Click Draw a Polygon (image), then

    • Click on the map canvas and add vertices; if you add a vertex that you don’t want, click the Delete last point option on the menu that opens to the right when you clicked Draw a Polygon tool.

    • When complete, either click on the first vertex or double click and the polygon will autocomplete. Elasticsearch documents within the drawn polygon will be filtered.

  • Click Latitude/Longitude Filter (image), then drag a bounding box across the map, to create a filter for the box coordinates. Elasticsearch documents within the drawn polygon will be filtered.

  • Click Draw a Circle (image), then drag a circle and release to select documents. Elasticsearch documents within the drawn polygon will be filtered.

For all selection tools, a geo filter is created. This will appear above the map canvas:

+ image

Multiple geo filters

If exactly one geo filter (i.e. a pill similar to the above image) exists, and you create another geo filter for the same map visualization, you will be prompted by the modal below:

  • Overwrite existing filter - Replaces the exising geo filter with the new one you have created

  • Create new filter - Creates a new filter and will keep the existing one, use this option to create an AND

  • Combine with existing filters - Merges the new filter with the existing one, use this option to create an OR

Note - You can cancel filter creation from this modal by clicking the X in the top right

image

Marking tools

  • Click Draw a Marker (image), and select any point on the map to place a marker. You can add multiple markers.

  • After adding at least one marker, the Delete Marker(s) option becomes available

    • Point and click to delete individual markers

    • Remove all of them by clicking Clear All

Viewing detailed information

For information on displaying the raw data, see Visualization Spy.

Region Map

Region maps are choropleth maps in which vector polygons are colored using a gradient. Higher-intensity colors indicate larger values, and lower-intensity colors indicate smaller values.

regionmap

Configuration

To create a region map, you configure an inner join that joins the result of an Elasticsearch terms aggregation and a reference vector file based on a shared key.

You can add your own custom polygon vector layers by using the regionmap setting in the Investigate.yml file. Then, after restarting Siren Investigate, you configure the inner join between your Elasticsearch index and your polygon vector layer.

If you need to display custom layers for the Region Map visualization, a geospatial server may provide the solution. See Getting started with GeoServer.

The Data Tab

Metric values

To specify the metric type that will be used for the choropleth, select any of the supported Metric or Sibling Pipeline Aggregations.

  • Aggregation - A variety of techniques can be used to summarize or aggregate your Date, String, Numerical or Geo data:

    • Metric values:

      • Count - The count aggregation returns a raw count of the elements in the selected index pattern.

      • Average - This aggregation returns the average of a numeric field. Select a field from the drop-down menu.

      • Sum - The sum aggregation returns the total sum of a numeric field. Select a field from the drop-down menu.

      • Min - The min aggregation returns the minimum value of a numeric field. Select a field from the drop-down menu.

      • Max - The max aggregation returns the maximum value of a numeric field. Select a field from the drop-down menu.

      • Unique Count - The cardinality aggregation returns the number of unique values in a field. Select a field from the drop-down menu.

      • Standard Deviation - The extended stats aggregation returns the standard deviation of data in a numeric field. Select a field from the drop-down menu.

      • Top Hit - The top hits aggregation returns one or more of the top values from a specific field in your documents. Select a field from the drop-down menu, how you want to sort the documents, and choose the top fields and how many values should be returned.

    • Sibling Pipeline Aggregations - You must provide a metric for which to calculate the sibling aggregation. You also need to provide a bucket aggregation, which will define the buckets on which the sibling aggregation will run.

      • Average Bucket - The avg bucket calculates the (mean) average value of a specified metric in a sibling aggregation.

      • Sum Bucket - The sum bucket calculates the sum of values of a specified metric in a sibling aggregation.

      • Min Bucket - The min bucket calculates the minimum value of a specified metric in a sibling aggregation.

      • Max Bucket - The max bucket calculates the maximum value of a specified metric in a sibling aggregation.

    • Custom label- The user-specified label that will be used in the tooltip.

  • Advanced mapping features

  • JSON Input - A text field where you can add specific JSON-formatted properties to merge with the aggregation definition. Below is a viable JSON input for the companies index in metrics on the data tab. Note: Count cannot be included as it is not an aggregation.

    {"script" : "doc['number_of_employees'].value * 1000"}

The entire request, including the Advanced settings, can be viewed by selecting the upward arrow icon in the bottom-left of the map canvas and selecting Request from the dropdown menu.

Buckets

The Shape field is where the parameters of the join between the polygon vector map and the Elasticsearch index are specified.

  • Aggregation - Specify the Terms aggregation. The term is the key that is used to join the results to the vector data on the map.

  • Field- Specify the Elasticsearch document field to be used for joining to the polygon vector layer.

  • Order By - The field or metric to order the Elasticsearch query by.

  • Order - Specify whether to sort the Order By field in ascending or descending order.

  • Size - Specify the number of polygons that should be rendered on the map. This is inclusive of the Group other values in separate bucket and Show for missing values options below.

  • Group other values in separate bucket - An option to represent documents not displayed in the choropleth. These may not be displayed due to the Size specification.

    • Label for other bucket - If you would like the other values to appear on the map, specify a valid Field value that isn’t already displayed on the choropleth.

  • Show for missing values - The option to show documents missing a value for the specified Field.

    • Label for missing values - If you would like the other values to appear on the map, specify a valid Field value that isn’t already displayed on the choropleth.

Advanced mapping features

You can use the Exclude and Include fields to specify the features of the Region map layer to exclude or include in the resulting choropleth.

Both fields use Regular Expression Format syntax. For example, using World Countries (one of Siren’s default layers, which can be selected in the Options tab), joined on companies country code, GBR in the include field would just display Great Britain on the resulting choropleth. Similarly, USA|CAN in the exclude field would remove USA and Canada from the resulting choropleth.

JSON input - You have the option to add or edit the attributes of the Terms field of the Elasticsearch request body. For example, to specify the minimum number of documents for the aggregation to be displayed on the choropleth, you could enter the following syntax:

{ "min_doc_count": 60 }

The entire request, including the advanced settings, can be viewed by selecting the upward arrow icon in the bottom left of the map canvas and selecting request from the drop-down menu.

Options

Layer settings

  • Vector map: select from a list of vector maps. This list includes the maps that are hosted by the © Elastic Maps Service, as well as your self-hosted layers that are configured in the config/kibana.yml file. To learn more about how to configure Kibana to make self-hosted layers available, see the regionmap settings documentation.

  • Join field: this is the property from the selected vector map that will be used to join on the terms in your terms-aggregation. When terms cannot be joined to any of the shapes in the vector layer because there is no exact match in the vector layer, Kibana will display a warning. To turn off these warnings, go to Management/Kibana/Advanced Settings and set visualization:regionmap:showWarnings to false.

Style settings

  • Color Schema: the color range that is used to color the polygons.

Basic settings

  • Legend Position: the location on the screen where the legend will be rendered.

  • Show Tooltip: indicates whether a tool tip should be displayed when hovering over a shape.

Time Series Visual Builder

Experimental feature

Time Series Visual Builder is a time series data visualizer with an emphasis on enabling you to use the full power of Elasticsearch aggregation framework. Time Series Visual Builder enables you to combine an infinite number of aggregations and pipeline aggregations to display complex data meaningfully.

Time Series Visual Builder Interface.

Featured visualizations

Time Series Visual Build comes with five different visualization types. You can switch between each visualization type using the tabbed picker at the top of the interface.

Time Series

A histogram visualization that supports area, line, bar, and steps along with multiple y-axis. You can fully customize the colors, points, line thickness and fill opacity. This visualization also supports time shifting to compare two time periods. This visualization also supports annotations which can be loaded from a separate index based on a query.

Time Series Visualization

Metric

A visualization for displaying the latest number in a series. This visualization supports two metrics; a primary metric and a secondary metric. The labels and backgrounds can be fully customized based on a set of rules.

Metric Visualization

Top N

This is a horizontal bar chart where the y-axis is based on a series of metrics and the x-axis is the latest value in those series; sorted in descending order. The color of the bars are fully customizable based on set of rules.

Top N Visualization

Gauge

This is a single value gauge visualization based on the latest value in a series. The face of the gauge can either be a half-circle gauge or full-circle. You can customize the thicknesses of the inner and outer lines to achieve a desired design aesthetic. The color of the gauge and the text are fully customizable based on a set of rules.

Gauge Visualization

Markdown

This visualization enables you to enter Markdown text and embed Mustache template syntax to customize the Markdown with data based on a set of series. This visualization also supports HTML markup along with the ability to define a custom style sheet.

Markdown Visualization

Interface Overview

The user interface for each visualization is composed of a "Data" tab and "Panel Options". The only exception to that is the Time Series and Markdown visualizations; the Time Series has a third tab for annotations and the Markdown has a third tab for the editor.

Data Tab

The data tab is used for configuring the series for each visualization. This tab enables you to add multiple series, depending on what the visualization supports, with multiple aggregations composed together to create a single metric. Here is a breakdown of the significant components of the data tab UI.

Series label and color

Each series supports a label which will be used for legends and titles depending on which visualization type is selected. For series that are grouped by a term, you can specify a mustache variable of {{key}} to substitute the term. For most visualizations you can also choose a color by clicking the swatch, this will display the color picker.

Label Example

Metrics

Each series supports multiple metrics (aggregations); the last metric (aggregation) is the value that will be displayed for the series, this is indicated with the "eye" icon to the left of the metric. Metrics can be composed using pipeline aggregations. A common use case is to create a metric with a "max" aggregation then create a "derivative" metric and choose the previous "max" metric as the source; this will create a rate.

Derivative Example

Series options

Each series also supports a set of options which are dependent on the type of visualizations you have selected. Universal across each visualization type you can configure:

  • Data format

  • Time range offset

  • Index pattern, timestamp, and interval override

Default series options

For the Time Series visualization you can also configure:

  • Chart type

  • Options for each chart type

  • Legend Visibility

  • Y-Axis options

  • Split color theme

Time series options

Group by controls

At the bottom of the metrics there is a set of "Group By" controls that enables you to specify how the series should be grouped or split. There are four choices:

  • Everything

  • Filter (single)

  • Filters (multiple with configurable colors)

  • Terms

By default, the series is grouped by everything.

Panel options

The panel options tab is used for configuring the entire panel; the set of options available is dependent on which visualization you have selected. The following is a list of the options available per visualization:

Time Series

  • Index pattern, timestamp, and Interval.

  • Y-Axis min and max.

  • Y-Axis position.

  • Background color.

  • Legend visibility.

  • Legend position.

  • Panel filter.

Metric

  • Index pattern, timestamp, and interval.

  • Panel filter.

  • Color rules for background and primary value.

Top N

  • Index pattern, timestamp, and interval.

  • Panel filter.

  • Background color.

  • Item URL.

  • Color rules for bar colors.

Gauge

  • Index pattern, timestamp, and interval.

  • Panel filter.

  • Background color.

  • Gauge max.

  • Gauge style.

  • Inner gauge color.

  • Inner gauge width.

  • Gauge line width.

  • Color rules for gauge line.

Markdown

  • Index pattern, timestamp, and interval.

  • Panel filter.

  • Background color.

  • Scroll bar visibility.

  • Vertical alignment of content.

  • Custom Panel CSS with support for Less syntax.

Annotations

The annotations tab is used for adding annotation datasources to the Time Series Visualization. You can configure the following options:

  • Index pattern and time field.

  • Annotation color.

  • Annotation icon.

  • Fields to include in message.

  • Format of message.

  • Filtering options at the panel and global level.

Annotation tab

Markdown Tab

The markdown tab is used for editing the source for the Markdown visualization. The user interface has an editor on the left side and the available variables from the data tab on the right side. You can click the variable names to insert the mustache template variable into the markdown at the cursor position. The mustache syntax uses the Handlebar.js processor which is an extended version of the Mustache template language.

Markdown tab

Tag Cloud

A tag cloud visualization is a visual representation of text data, typically used to visualize free form text. Tags are usually single words, and the importance of each tag is shown with font size or color.

The font size for each word is determined by the metrics aggregation.

For more information, see Y-axis aggregations.

The buckets aggregations determine what information is being retrieved from your data set.

Before you choose a buckets aggregation, select the Split Tags option.

You can specify the following bucket aggregations for tag cloud visualization:

Terms

A terms aggregation enables you to specify the top or bottom n elements of a given field to display, ordered by count or a custom metric.

You can customize your visualization. For more information, see Customizing aggregations.

Select the Options tab to change the following aspects of the chart:

Text Scale

You can select linear, log, or square root scales for the text scale. You can use a log scale to display data that varies exponentially or a square root scale to regularize the display of highly variable data sets.

Orientation

You can select how to orientate your text in the tag cloud. You can choose one of the following options: Single, right angles and multiple.

Font Size

Enables you to set minimum and maximum font size to use for this visualization.

Viewing detailed information

For information on displaying the raw data, see Visualization Spy.

Topic Clustering

Experimental feature

The Topic Clustering visualization performs significance and clustering analysis on full-text fields. While similar to the Tags Cloud visualization, Topic Clustering highlights significant terms (topics) whose frequency in documents increases when current filters and search queries are applied.

image

The Topic Clustering panel is divided into separate cells, each representing a term. Cell size represents the number of documents it matches, while its color represents its relevance to current queries/filters.

The visualization can also cluster together mutually significant terms, forming groups that denote 'areas of interest' of the text corpus (large set of structured texts).

Interaction

You can interact with Topic Clustering using mouse or touch:

  • Pan the view by click-and-drag/tap-and-drag

  • Zoom in or out using the mouse wheel/pinch-zoom gestures

  • Zoom out to initial view and close all cells with the ESC key

  • Open a cell with a double-click/tap

  • Close a cell by double-clicking its header

Expanding and collapsing cells

Double-click/tap a cell to open it; this loads its significant sub-terms and displays them recursively. It also puts the cell term in a white header at the top of the cell.

image

Once loaded, cells are automatically opened and closed depending on your current level of zoom. However, you can still open a cell explicitly by double-clicking on it. Conversely, you can close it by double-clicking on the white cell header.

image

Loaded cells open/close automatically as you zoom in/out.

Tooltip

Hovering over a cell displays details such as the number of documents it represents and its relevance/significance score:

image

Tooltip legend

  1. Path: Hierarchical position of the cell

  2. Relevance Score: The term’s relevance/significance score with respect to current search query, along with filters and ancestor cells

  3. Size (total): Matching documents compared to all searched/filtered documents

  4. Size (parent): Matching documents compared  to those in the parent cell

  5. Parent Coverage: Union of all documents matched by this and sibling cells compared to those in the parent cell.

    You can apply either a found term or a full cluster as filters, by clicking on the associated buttons on the tooltip. This is useful to foreground an interesting area of the corpus that has been identified.

  6. Filter cluster: Click to apply a dashboard filter matching any of the cluster terms.

  7. Filter term: Click to apply a dashboard filter for the cell term only

Live Filter

Clicking a cell selects it. In a dashboard, this automatically applies a live filter matching the cell’s term to other visualizations in that dashboard.

The live filter does not apply to the visualization itself, or other Topic Clusterings in the same dashboard, which retain their UI state.

For example, you can pair a Topic Clustering with a Record Table next to it. Selecting a cell updates the table and displays associated document samples.

image

Setting up the visualization

Data Tab

The only required input is the text field to operate on, which must be set before the visualization can render.

If you can’t see the field you want, check the Management > Data Model page to make sure that it’s aggregatable. You can make a text field aggregatable by enabling the fielddata mapping property for the field, as explained in the Elasticsearch documentation. Remember to refresh the Fields list in the Data Model page to reflect the changes.

image

Terms extraction can work in Plain mode or Clustering mode:

  • In Plain mode, no clustering is performed, and only a flat selection of the most significant terms is displayed.

  • In Clustering mode, significant topics are put in clusters based on their mutual significance. This mode can trade off some high-significance plain terms in favor of filling up the clusters.

You can select a different extraction mode when retrieving terms at the initial (root topics) level, and when expanding cells (sub-topics) with a double-click/tap.

Changing the Chart Type option to Square renders the visualization as a more traditional square treemap:

image

The following parameters control terms generation:

  • Target Topics Count: The desired number of terms to calculate and display.

  • Ignore Large Topics: Specifies how relatively large terms (as percentage) will be ignored, as they can be considered trivial.

  • Maximum Clusters Size: The maximum number of terms a cluster can have.

  • Per-shard documents (thousands): Restricts document analysis to the specified number of documents, per shard, chosen among the best matching for current search query and filters. Can be used to discard analysis of the worst-matching documents to gain a speed boost.

Stop-Words Tab

Text field values often contain undesirable or irrelevant terms that should be filtered out; these are called stop-words.

Stop-words are best applied at index-time using the appropriate Elasticsearch analyzers support.  Check the Elasticsearch stop-words documentation for further details. However, some undesirable words will inevitably slip past the indexing phase. Some words may also be undesirable only in the context of a particular visualization.

You can provide an additional list of stop-words to be filtered by the visualization itself. The list is configured as separate lines in the Stop Words tab; each line is a separate stop-word.

image

Regular expressions as stop-words are supported, which can be useful to, say, remove all numbers. However, using regular expression stop-words incurs a performance penalty. A single regular expression is sufficient, as it will force all stop-words to be included in a regular expression separated by | (pipe) conditionals.

Appearance Tab

Cell colors are associated with the relevance/significance score calculated for each term, while cell size relates to the number of documents it matches.

You can change the colors displayed by adjusting two colors representing the extremes of the color palette.

It is good practice to set the Low Relevance color to a low saturation (paler) value of the selected color, and set the High Relevance color to a high saturation (more intense) value of the same color.

image

You can also fine-tune some of the aspects of the rendered chart using the following options.

  • Cell Gradients: controls the rendering mode of cell backgrounds. When enabled, cells will be rendered with a nice-looking smooth-colored gradient. You can disable this option to render cells using a flat color, which is faster and arguably less distracting.

  • Colored Cell Headers: controls coloring of cell headers. When enabled, opened cell headers will be rendered with a smooth gradient based on the opened cell’s relevance score. When disabled, the header will be rendered with a flat white color, to separate it from child cells.

  • Coverage information: enables/disables the Parent Coverage section from the tooltip.

Limitations

String Analysis

The Topic Clustering visualization only applies to the ElasticSearch text datatype, which undergoes string analysis transformations like tokenization and stemming at data ingest.

This means that it is not applicable to fields found in JDBC backends, which do not support string analysis out of the box.

Fielddata

As with Tags Cloud, fielddata support must be enabled on a text field for Topic Clustering to work.

Enabling fielddata can result in high memory usage on the ElasticSearch cluster, so refer to the official ElasticSearch guidefor more information on enabling fielddata appropriately.

Additional Notes

Without a search query or filter, it is not possible to establish a foreground/background set pair, so there is nothing to define significance against.

In these cases, the visualization adopts alternative relevance score functions:

  • In Plain terms mode, each term is scored according to its matching documents count normalized by the total documents count. This is like selecting the largest terms in the field.

  • In Clustered terms mode, each term is scored according to an average of its own significant subterms (the significant terms found when it is used as a filter).

Heatmap chart

A heat map is a graphical representation of data where the individual values contained in a matrix are represented as colors. The color for each matrix position is determined by the metrics aggregation.

For more information, see Y-axis aggregations.

The buckets aggregations determine what information is being retrieved from your data set.

Before you choose a buckets aggregation, specify if you are defining buckets for X or Y axis within a single chart or splitting into multiple charts. A multiple chart split must run before any other aggregations. When you split a chart, you can change if the splits are displayed in a row or a column by clicking the Rows | Columns selector.

This chart’s X and Y axis supports the following aggregations:

  • Date Histogram

  • Histogram

  • Range

  • Date Range

  • IPV4 Range

  • Terms

  • Filters

  • Significant Terms

For more information, see X-axis aggregations.

You can customize your visualization. For more information, see Customizing aggregations.

Select the Options tab to change the following aspects of the chart:

Show Tooltips

Check this box to enable the display of tooltips.

Highlight

Check this box to enable highlighting of elements with same label.

Legend Position

You can select where to display the legend (top, left, right, bottom).

Color Schema

You can select an existing color schema or go for custom and define your own colors in the legend.

Reverse Color Schema

Selecting this check box will reverse the color schema.

Color Scale

You can switch between linear, log and square root scales for color scale.

Scale to Data Bounds

The default Y axis bounds are zero and the maximum value returned by the data. Select this check box to change both upper and lower bounds to match the values returned by the data.

Number of Colors

Number of color buckets to create (2 to 10).

Percentage Mode

Enabling this will show legend values as percentages.

Custom Range

You can define custom ranges for your color buckets. For each of the color bucket you need to specify the minimum value (inclusive) and the maximum value (exclusive) of a range.

Show Label

Enables showing labels with cell values in each cell.

Rotate

Allows rotating the cell value label by 90 degrees.

Viewing detailed information

For information on displaying the raw data, see Visualization Spy.

You can click the map icon to pivot from individual entity mode to aggregate heatmap.

Line, Area, and Bar charts

Line, Area, and Bar charts enable you to plot your data on the X/Y axis.

First you need to select your metrics which define Value axis.

For more information, see Y-axis aggregations.

The buckets aggregations determine what information is being retrieved from your data set.

Before you choose a buckets aggregation, specify if you are splitting slices within a single chart or splitting into multiple charts. A multiple chart split must run before any other aggregations. When you split a chart, you can change if the splits are displayed in a row or a column by clicking the Rows | Columns selector.

The X axis of this chart is the buckets axis. You can define buckets for the X axis, for a split area on the chart, or for split charts.

This chart’s x-axis supports the following aggregations.

  • Date Histogram

  • Histogram

  • Range

  • Date Range

  • IPv4 Range

  • Terms

  • Filters

  • Significant Terms

  • External Query Terms Filter

For more information, see X-axis aggregations.

After you have specified an X axis aggregation, you can define sub-aggregations to refine the visualization. Click + Add Sub Aggregation to define a sub-aggregation, then choose Split Area or Split Chart, then select a sub-aggregation from the list of types.

When multiple aggregations are defined on a chart’s axis, you can use the up or down arrows to the right of the aggregation’s type to change the aggregation’s priority.

You can customize your visualization. For more information, see Customizing aggregations.

Metrics and Axes

Select the Metrics and Axes tab to change the way each individual metric is shown on the chart. The data series are styled in the Metrics section, while the axes are styled in the X and Y axis sections.

Metrics

Modify how each metric from the Data panel is visualized on the chart.

Chart type

Choose between Area, Line, and Bar types.

Mode

Stack the different metrics, or plot them next to each other.

Value Axis

Choose the axis you want to plot this data too (the properties of each are configured under Y-axes).

Line mode

Choose how the outline of lines or bars appear; smooth, straight, or stepped.

Y-axis

Style all the Y-axes of the chart.

Position

Position of the Y-axis (left or right for vertical charts, and top or bottom for horizontal charts).

Scale type

Scaling of the values (linear, log, or square root)

Advanced Options
Labels - Show Labels

Enables you to hide axis labels.

Labels - Filter Labels

If filter labels are enabled, some labels will be hidden in case there is not enough space to display them,

Labels - Rotate

Number in degrees for how much you want to rotate labels.

Labels - Truncate

Size in pixels to which the label is truncated.

Scale to Data Bounds

The default Y-axis bounds are zero and the maximum value returned by the data. Check this box to change both upper and lower bounds to match the values returned by the data.

Custom Extents

You can define custom minimum and maximum for each axis.

X-axis

Position

Position of the X-Axis (left or right for horizontal charts, and top or bottom for vertical charts).

Advanced Options
Labels - Show Labels

Enables you to hide axis labels.

Labels - Filter Labels

If filter labels are enabled, some labels will be hidden in case there is not enough space to display them.

Labels - Rotate

You can enter the number in degrees for how much you want to rotate labels.

Labels - Truncate

You can enter the size in pixels to which the label is truncated.

Panel settings

These are options that apply to the entire chart, not just the individual data series.

Common options

Legend Position

Move a legend to the left, right, top or bottom.

Show Tooltip

Toggle the display of tool tip when moving the mouse pointer over chart objects.

Current Time Marker

Show a line indicating the current time.

Grid options

You can enable grid on the chart. By default, grid is displayed on the category axis only.

X-axis

You can switch off the display of grid lines on category axis.

Y-axis

You can choose on which (if any) of the value axes you want to display grid lines.

Viewing detailed information

For information on displaying the raw data, see Visualization Spy.

Timeline

The Timeline visualization displays series of data coming from different saved searches on a single timeline component. Events are color-coded to distinguish between different groups.

Each event on a timeline becomes a clickable term filter which enables you to quickly filter the related data based on what is shown on the timeline.

Timeline

Configuration

To configure the visualization, add a new Group and select:

  • Saved search id: Date for this group will be taken from corresponding index.

  • Group label: Label for the group.

  • Event label field: Field value will be used as individual event label.

  • Event start date: Date from this field will be used to position start of the event.

  • Event end date (optional): Date from this field will be used to position end of the event.

  • Events number limit (optional): Limit number of events in this group.

Timeline configuration

Advanced option

By default, events from multiple groups are rendered all mixed together. It is possible to show different groups on different levels by enabling the advanced option

  • Groups rendered on separate levels

Timeline advanced configuration

In the timeline, each group is rendered on separate level:

Timeline

Scatter Plot

This visualization displays a scatter plot chart in four different modes: Straight, Significant terms, Any aggregator, Filtered aggregator.

Straight

image

This mode does not use aggregates, it pulls the data directly from Elasticsearch using the Random scoring method to get a random sample of records.

  • X values: The value can be String, Date or Numeric.

  • Y values: The field value can be String, Date or Numeric.

  • X axis label

  • Y axis label

  • X axis scale: Select linear, log, or square root scales for the chart’s X axis. You can use a log scale to display data that varies exponentially, such as a compounding interest chart, or a square root scale to regularize the display of highly variable data sets. This kind of data, where the variability is itself variable over the domain being examined, is known as heteroscedastic data. For example, if a data set of height versus weight has a relatively narrow range of variability at the short end of height, but a wider range at the taller end, the data set is heteroscedastic.

  • Y axis scale: Select linear, log, or square root scales for the chart’s Y axis.

  • Jitter field: Deterministic jitter to add pseudo random data distribution in the X axis data interval. Jitter is useful for distributing the values across X axis. Doing so enables you to show the data distributed across the bucket, in that way the dot is more visible.

  • Jitter scale: Select linear, log, or square root scales for the jitter.

  • Label: Dot label.

    • Display label: Select this check box to enable the display of a label next to the dot.

    • Label hover effect: Select this check box to enable the tool tip label.

  • Color: Dot color.

  • Color field: Used as an input to generate the dot colors. Only number field types are permitted.

  • Dot size

  • Dot size field: An input for the dot size. Only number field types are permitted.

  • Dot size scale: Select linear, log, or square root scales for the dot size.

  • Size: Number of random records to fetch from an Elasticsearch query.

  • Shape opacity: Value from 0 to 1 that defines the dot transparency.

Significant terms

Significant term

In this mode the chart is built from a Significant terms aggregation query result. The X values are taken from the bg_count field and the Y values from doc_count field.

  • Field: Field that will provide terms to be aggregated.

  • Size: Number of significant terms to be aggregated.

  • X axis label

  • Y axis label

  • Color: Dot color.

  • Shape opacity: Value from 0 to 1 that defines the dot transparency.

Any aggregator

Any aggregator

The chart is built from a Date Histogram, Histogram, Terms or Significant terms aggregation query result.

  • Aggregation

  • X Metric: Metric for X axis values.

  • Y Metric: Metric for Y axis values.

  • Color: Dot color.

  • Dot size

  • Shape opacity: Value from 0 to 1 that defines the dot transparency.

Filtered aggregator

Filtered aggregator

The chart is built from a Date Histogram, Histogram, Terms or Significant terms aggregation query result. The X and Y values are taken from Filters aggregation results.

  • Aggregation

  • Filter X: X axis filter string.

  • Filter Y: Y axis filter string.

  • Metric: Metric to be calculated for each filter aggregation.

  • Color: Dot color.

  • Dot size

  • Shape opacity: Value from 0 to 1 that defines the dot transparency.

After changing options, click Apply changes to update your visualization. Alternatively, click Discard changes to return your visualization to its previous state.

Radar chart

A radar chart is a graphical method of displaying multivariate data in the form of a two-dimensional chart of three or more quantitative variables represented on axes starting from the same point. The relative position and angle of the axes is typically uninformative.

Radar chart visualization

Radar chart settings

Also known as web chart, spider chart, star chart, the radar chart is a standalone plugin compatible with Siren Investigate 10 and later and Kibana 4.3 and later.

Box Plot

This visualization displays a box plot chart from the data in the current set of Elasticsearch documents.

Box plot

Ensure that you have:

  • One Percentiles metric, with three Percentiles defined:

    • Bottom Percentile (Usually around 25%)

    • Mean (Usually around 50%)

    • Top Percentile (Usually around 75%)

  • One Max metric

  • One Min metric

  • One Aggregation (Optional)

Options

Box plot options

  • Y Axis Text: Label for the X axis.

  • X Axis Text: Label for the Y axis.

  • Show values: Select this check box to enable the display of the value next to its box.

  • Restrict Y axis MAX: Restricts the domain of the Y axis to a maximum value.

    • Global Max Y Value: Y axis domain maximum value.

  • Restrict Y axis MIN: Restricts the domain of the Y axis to a minimum value.

    • Global Min Y Value: Y axis domain minimum value.

When you have finished your changes, click Apply changes to update your visualization. Alternatively, click Discard changes to return your visualization to its previous state.

Bubble diagram

The bubble diagram visualization displays series of data grouped into packed circles.

First

Bubble size

The radius of circles depends on the type of metric aggregations.

For more information, see Y-axis aggregations.

Buckets aggregations

The buckets aggregations determine what information is shown in the diagram.

You can do a maximum of two aggregations at a time. The first aggregation will create the parent circles, while the second aggregation will create the child circles.

Parent circles look slightly different to the children ones. Parent circles have a thicker border and the label is written in bold.

The parents bubbles are divided by color. If you do a subaggregation (child), you will see the bubbles divided by family. Child bubbles are located near the parent and all have the same color. If you drag a bubble, all members of the family will move.

Aggregation configuration

Options

In the diagram there are two options

Show Parents

When selected, parent bubbles are visible when doing the subaggregation.

Enable Zoom

Enables zoom on the page. To use the zoom, use the mouse wheel.

Circles movements

All circles gravitate towards the center of the visualization. When you drag a circle, its family follows it.

Bubble movement

Moving the mouse pointer over a circle shows detailed information in a tooltip.

Detailed information on hover

Filters

You can create filters by double-clicking the bubbles. When you double-click a child, you will be asked to confirm the application of the filter on the filter bar.

Filter child

Click Apply Now to set the filter and display the bubble and its parent.

Filter child

When you double-click a parent, you will see the bubble and its family.

Filter parent

Horizontal Bar chart

This visualization displays a horizontal bar chart from the data in the current set of Elasticsearch documents.

Horizontal bar chart

Parallel Lines chart

A parallel lines chart is a type of chart that is well suited for visualizing many data dimensions at the same type. This is unlike most classical chart types, which are only able to represent data along two coordinate axis, with possibly additional dimensions mapping to size and color of the plotted primitives.

To show an arbitrary number of dimensions, the parallel lines chart establishes one parallel axis per dimension, and lets a data-point be represented as a line passing through each axis at its corresponding value.

In addition to the classical parallel coordinates chart, this plugin also synchronizes a strip of minified scatterplots between each consecutive pair of axis, which is helpful to provide a more traditional reference for the represented data.

A parallel lines chart

Interaction

Hovering the mouse pointer over the chart highlights the nearest line or bucket of the dataset, displaying the associated values for each axis and the number of documents associated with the line.

Filtering lines

Clicking and dragging on columns enables you to define a filter for the values of a column. This means that all values outside the defined range are dimmed and unselectable. It is also possible to click a single value of a column, thus placing a filter on the single value itself, instead of a range of values.

Filters can also be defined on the minified scatterplots by clicking and dragging to a rectangle shape. This places two range filters on the axis columns.

A range filter and a value filter

Column interactions

The main feature of the parallel lines chart is that it enables you to easily identify obvious cases of positive or negative correlation.

You can swap the placement of columns by clicking a column name and dragging the column to its new place. This immediately updates the chart and the scatterplots strip.

Moving columns

Columns can be sorted using the associated arrows available before a column name when you hover the mouse pointer over it. Sorting a columns does not perform an additional server request, it only sorts the already retrieved data.

Clicking the Remove icon (X) after a column name hides the column from the visualization. This is useful when you want to concentrate on the other columns. Hidden columns can be restored by clicking the Show icon (image) on the top-right corner of the visualization (displayed only when a column is hidden).

Expanded scatterplots

Scatterplots can be expanded by clicking the Expand icon that becomes visible when you hover the mouse pointer over a minified scatterplot. To return to the main chart, click the Minify icon on the top-right corner of an expanded scatterplot.

An expanded scatterplot

Setting up

Data tab

Each metrics and buckets aggregation map to a column of the chart.

To change the name on top of the visualized axis, use the Custom Label value of the associated aggregation.

Supported metric aggregations
  • Count

  • Average

  • Sum

  • Min

  • Max

  • Unique Count

  • Top Hit

Supported bucket aggregations
  • Date Histogram

  • Histogram

  • Range

  • Date Range

  • Terms

  • Significant Terms

Columns tab

This tab displays additional configurable parameters associated to each column or axis of the chart. Currently, this is limited to:

Scale Type: Defines the type of scale to associate to an axis for numeric fields. Choices are linear, log or square root.

Options tab

Other general options that configure the appearance of the generated visualization:

Color settings
  • Low Color Records: The color to be used for buckets (lines) with the lowest number of documents. The color of higher-documents buckets will be linearly interpolated from this value.

  • High Color Records: The color to be used for buckets (lines) with the highest number of documents. The color of lower-documents buckets will be linearly interpolated to this value.

  • Highlighted Record: The nearest line/bucket to the user’s mouse pointer will be highlighted with this color.

  • Value Tips: The color used to render the values of each axis/field near the highlighted line.

Other
  • Ticks Distance (px): The desired distance, in pixels, between the ticks of each axis. The actual distance is usually respected, depending on the cooperation of the scale associated to each axis.

  • Expanded Scatterplot Points Radius (px): The radius of data-points displayed in the expanded scatterplot (click on the expand icon when hovering a minified scatterplot to expand it)

  • Show Filtered-Out Records As Shadows: Whether lines outside currently defined column filters should be hidden or displayed with as gray 'shadow' lines.

  • Render Using Html5 Canvas (faster): A mostly technical detail, defines the kind of rendering to be used for lines (canvas or svg). Will be probably removed in future revisions.

Query Viewer

This visualization displays the results from multiple queries on external datasources using query templates.

To add a query to the visualization, click Add query and set the following parameters:

  • Label: The caption for the table, in case of a table template like kibi-table-jade. This sets the variable label to the given value.

  • Source query: The query used by the template.

  • Template: The template used to render results returned by Source query.

If one of the source queries requires an entity to be selected, you can set an entity URI for testing in the input field above the preview.

If a source query is not activated, the corresponding template will not be rendered.

The following image shows the configuration and output of a templated query viewer visualization for a selected company:

Configuration of a Siren Investigate query viewer visualization

Advanced options

By clicking the Advanced link, you can set additional rendering options.

It is possible to set additional template variables by writing them as JSON object properties in the Template variables text area.

For example, to customize the heading of the generic table template (this is done automatically by the Label input field above), which is set by default to the id of the source query, you can customize the label variable as follows:

{
    "label": "Info"
}

By default, template contents are hidden and can be displayed by clicking the show link in the heading; to make template contents visible by default, check Render opened box.

Advanced options

Getting started with GeoServer

Locally hosting vector layers as WMS and WFS for Siren Investigate

If you need to display custom layers for Region Map or Coordinate Map visualizations, or want to use spatial datasets within Siren Investigate, a geospatial server may provide the solution.

A geospatial server can handle the conversion of spatial datasets, layer styling options, serve WFS and WMS simultaneously, and can integrate and serve Elasticsearch documents. The following sections explain how to set up GeoServer, a popular open-source interoperable  geospatial server.

GeoServer can serve information in WMS, WMTS, WFS, or WCS, and is easy to install and configure. Vector layers can be imported in multiple formats such as ESRI Shapefile, WFS, PostGIS, GeoPackage, and Java Properties; in addition, GeoServer can be linked with Elasticsearch using the elasticgeo plugin.

The article Going beyond “dots on a map” provides excellent background information on mapping.

Setting up a web server to serve GeoJSON for Region Maps visualization

If you just want a quick and easy way to serve GeoJSON vector layers for use with the Region Map visualization, you can use “http-server”, a command-line http server that uses NodeJS. It’s a quick and easy way to serve files locally.

First, you need to install NodeJS.

Then, install http-server:

npm install http-server -g

Navigate to the folder with the GeoJSONs and run http-server as CORs enabled, with Port 9000 as shown here:

Http-server ./ -p 9000 --cors=”*”

Replace the url in the investigate.yml file (also making sure to calibrate the remainder of the fields for each GeoJSON), and start Siren Investigate.

http://localhost:9000/world_countries_v1.geo.json

Installing GeoServer

Depending on your OS, follow the instructions at the links below for installing GeoServer:

If you would like to link your Elasticsearch index with GeoServer, the latest version currently supported is v2.14.2.

Enabling Cross Origin Resource Sharing (CORS)

As GeoServer will be running on a separate domain to Siren, you may get a CORS error in your development window, something like:

image

To get around this issue:

  • Edit your web.xml file as is shown in the Enable CORs section here.

  • Download the Jetty-Utility Servlets Jar to match the version of Jetty for the specific version of GeoServer.

  • Copy this to webapps/geoserver/WEB-INF/lib inside the geoserver-[v.vv.v] directory (or wherever you unpacked the zip file).

Adding vector layers to GeoServer

Open your browser and navigate to Port 8080, the default, on your local host: http://localhost:8080/geoserver

Log in with the default credentials:

  • Username: admin

  • Password: geoserver

From here you can:

  • Add new stores, i.e. sources for your spatial data

  • Create workspaces

  • Add layers to the server (and workspaces) from your stores

  • Create groups of layers that can be returned in one request

  • Create styling for how your layers will be rendered on a map

image

Make sure that WMS and WFS are enabled by selecting both on the navigation pane on the left:

image

Creating layer styles for GeoServer

There are many examples for creating styles in the SLD cookbook. If you have a preference for a GUI-based method of styling over the XML format of SLD used in GeoServer, Quantum GIS offers a way to export styles created in their GUI to SLD format.

Styles for layers or layer groups are either set as defaults within GeoServer or specified as a parameter from Siren Investigate.

Linking Elasticsearch and GeoServer

You can add Elasticsearch indexes to your Geoserver instance by following the installation and configuration instructions of the elasticgeo plugin.

When editing your elasticsearch store, you will need to add siren/ at the very beginning of the index_name* field. This is to reference that the query should be sent to Siren Federate for processing. For example:

image

The most recent version of elasticgeo is v2.14.2, and is compatible with GeoServer v2.14.2.