When the Timeseries visualization type is chosen, the Total Events section below represents a graph with a sequence of vertical bars collected over the same periods of time (where the time interval for each column is defined by the Time Range option in the top right corner of the Logs panel).

This data representation mode provides extended capabilities for intricate data analysis by means of advanced grouping options that appear under the visualization selection row upon choosing this display type.

There are 2 types of data management controls here:

• Group into - defines the entity by which the data should be grouped (currently, only the fields selection is available here; advancement is coming soon)

• Show - grouping parameters of the following structure:

  • Count unique - an expandable list, with the ability to choose an item or attribute that will be tallied uniquely within the given data set:

    • client_ip - to count unique IPs the requests came from

    • client_city - to count specific locations the requests came from

    • client_country_code - to count distinct countries the requests came from

    • cache_status - to count particular requests’ cache statuses (TCP_HIT, TCP_MISS, CONFIG_NOCACHE, etc)

    • client_as_org - to count unique networks or organizations the requests came from

    • client_isp - to count unique Internet Service Providers the requests came from

    • user_agent - to count unique User-Agent request headers

    • host - to count unique requested application hostnames

    • method - to count request methods (GET, POST, HEAD, etc)

    • path - to count requested application assets

    • pop - to count ADN/CDN points of presence the requests were delivered from

  • by - defines the parameter for grouping the events sorted upon the Count unique condition; the given list of options includes all the items mentioned above plus a set of additional ones as follows:

    • client_asn - to group requests by the network’s or organization’s Autonomous System Number (ASN)

    • status_code - to group requests by the request status code (200, 201, 202, etc)

    • waf_audit_alert - to group requests by true/false value of the boolean that indicates triggering of the WAF Audit mode alert

    • waf_prod_action - to group requests by true/false value of the boolean that indicates triggering of the WAF Block mode alert for production profiles

    • waf_prod_alert - to group requests by true/false value of the boolean that indicates triggering of the WAF Audit mode alert for production profiles

    • rl_alert - to group requests by true/false value of the boolean that indicates triggering of the Rare Limiting alert

You can add as many additional by parameters as you need to.

Also, by using a separate limit to control on the right, you can define the number of groups to display - either top 10, top 20, or top 50 - ranged based on the number of included results.

After applying all desired grouping filters, data within the graph columns is aggregated accordingly. Each group within a column is represented by a distinct color, with a corresponding color legend listed below the graph for clarity.

Hover over any of the colored groups within a column to view information about its label (i.e. the last by parameter value) and the number of records included based on your set grouping filters. Additionally, hovering over a particular color block within the legend will highlight all the corresponding color sections on the graph.