Log Insight lets you manipulate the visual representation of events by using aggregation queries.

Aggregation queries consist of two district attributes

Functions

Groupings

An aggregation query requires one function and at least one grouping. Groupings are an important part of the content packs. Functions and groupings impact the way charts are displayed.

By default, the overview chart in the Interactive Analysis page of Log Insight displays a count of events over time. If you use the count function in conjunction with the time series grouping, Log Insight creates a bar chart.

If you use the count function in conjunction with a single field grouping instead of time series, Log Insight creates bar charts with quantities listed from greatest to least.

All functions, except the count function, are mathematical. They require a field, against which you apply the equation. When performing a mathematical function on a field and grouping by time series, Log Insight creates a line chart.

By default, the overview chart on the Interactive Analytics page of Log Insight is a count of events over time. If you add one field to the time series grouping, then Log Insight creates a stacked chart.

If you use grouping by time series, plus a field, and you use any function except count, Log Insight creates stacked line chart. Stacked charts are powerful when attempting to find anomalies for an object.

You must decide which type of stacked chart to use, based on the number of object that the aggregation query might return. Displaying more objects require more resources, that are needed to parse and display information. In addition, the number of colors is fixed, and distinguishing between objects might become challenging, depending on the number of returned objects. In general the following best practices apply

If the number of returned objects in each bar is less than ten, then you might want to use stacked charts.

If the number of returned objects in each bar is or could be between ten and twenty, then stacked charts could be good. You must consider the way to visually represent the chart in a content pack.

If the number of returned objects in each bar is or could be greater than twenty, then stacked charts are discouraged.

If you create a grouping by using more than one field and time series, then Log Insight creates a multi-colored chart. The chart consists of two colors that interchange. Each interchange represents a new time range. Multi-colored charts can be hard to interpret so consider the value of such a chart before including it in a content pack.

When you make a grouping by multiple fields, consider using non-time series. Removing time series makes the bar chart easier to understand.

If multiple fields are important in a given time range, then you can create multiple charts for each field individually over the time range. You can then display the charts in the same column of a dashboard group in a content pack.

When constructing an aggregation query, the message query should only return results relevant to the aggregation query. This makes analyzing easier and ensures that only results only show relevant fields. To ensure the message query returns the same results as the aggregation query, you must add constraints using the exists operator for each field that is used in the aggregation query.