The types of visualizations available in Kentik Detect are covered in the following topics:
Kentik Detect supports a wide variety of visualization types, giving you multiple perspectives from which to view traffic whose flow records are stored in the Kentik Data Engine (KDE). Most of these visualizations are based on the “top rows” returned from the current query, as measured by the metric selected in the Query pane (see Query Basic Options). Many are based on time-series data, plotted over a time range (see Time Pane Settings) represented on the horizontal axis, with the metric represented on the vertical axis. For most view types (excluding Gauge) the visualization is accompanied by a results table (see Data Explorer Table).
Traffic visualizations are presented in various parts of the Kentik Detect portal:
- Library: Visualizations appear in the Library Display Area for the following Library view types:
- Dashboard panels
- Saved views
- Data Explorer: Visualizations appear in the Explorer Chart Display.
- Peering Analytics: Visualizations (Sankey diagram only) appear in the Peering Data Display.
- The number of top rows displayed in a given visualization varies depending on the Visualization Depth (see Query Advanced Options).
- The number of rows in the results table that accompanies visualizations is dependent on the Visualization Depth and limited to a maximum of 350.
- If Historical Overlay is on then in applicable view types the historical values are plotted on the chart as a dashed gray line.
The following views are visualizations of time-series data:
This is the default chart type. The top rows in the returned data, which is plotted over the specified time range, are stacked (as distinct from overlaid) to show the contribution of each row to the combined total. This view helps you to understand, based on an absolute scale (e.g. mbps), how the top series change over time and in relation to one another. For example, this view is well suited to address a question such as, “What are the TOS categories for the traffic on this interface, and how much bandwidth are they using?”
This chart type is similar to a standard stacked graph, but providing an indication of relative rather than absolute value. Each row is shown as a percentage of the total traffic returned from the query, so the entire area of the graph is always filled but the proportion of vertical space represented by each row of results changes over time. This is useful for seeing changes over time in the top series, not only in relation to one another but also in relation to the total. For example, this view might be used to answer a question such as, “What percent of the traffic we’re serving is going to each Country, or to each Custom Geo?”
This chart type is most similar to the stacked area chart. The top rows in the returned data are plotted against an absolute scale over the specified time range, showing the contribution of each row to the combined total. The duration represented by each bar is determined by the query’s aggregation step boundaries, which vary depending on the width of the query timespan (see Time Rounding). The aggregation of values into segments of time can be helpful in answering questions such as, “Over the last week, how much traffic per hour was outbound from the cloud networks that we’re monitoring?”
This chart type is similar to the stacked area chart, with the top rows in the returned data plotted over a specified time range against an absolute scale. But because the values are overlapping rather than stacked, this view emphasizes the absolute value of each individual series rather than the total resulting from the combination of all plotted series. (The combined total may also be plotted, though by default that is off.) A representative question answered by this view would be, “How much traffic are we sending on each of our outward-facing interfaces?”
A horizon chart combines time-based and density-based information into a compact visualization in which the value of a metric (e.g. traffic volume in bits/second) is plotted over time for the top-X rows returned from the query. Each top row is represented by one “lane,” with the number of lanes determined by the visualization depth (see Query Advanced Options). The height of all lanes is the same regardless of the amplitude of the represented data.
Within each lane, the overall amplitude range is divided into five “bands” that are each assigned a color. Bands are overlaid within the lane (rather than stacked), starting with the lowest-volume band at the back, so that the highest-volume band is always visible in the foreground.
This approach is especially useful for visually identifying series or time slices that are outliers (high or low). It can also result in a more informative visualization than a stacked area chart when there are a large number of series. A horizon chart can be useful for answering questions such as, “Are any of the devices we’re monitoring sending more flows than normal, and have any of them stopped sending flows?”
The Sync Density Scale checkbox determines how the bands for each lane are scaled and thus the use case for which the chart works best:
- Compare density: If the checkbox is checked, all lanes use the same scale, and the bands each represent one fifth of the total range from zero to the highest value that is present in any of the lanes. This view is best for comparing density (e.g. traffic volume) across the lanes.
- Spot patterns: If the checkbox is not checked, each lane uses its own scale, and the bands each represent one fifth of the total range from zero to the highest value in that lane. This view makes it easier to spot patterns across the lanes (e.g. do they all have a peak at the same time).
When you hover over the chart at a given point in the timeline, the value of each lane at that point is displayed at the right of the lane.
The following views compare total cumulative values over the entire time-range of a query:
The top rows in the returned data are plotted as individual bars against a horizontal axis representing the metric being counted, and the combined total is also plotted. This approach is useful for comparing series aggregates over time, where series vs. series is more important than series vs. total. For example, you might use this view to answer questions such as, “How much traffic did we send on each of our peering and transit links this month?”
In this view, the top rows are each shown individually as a colored segment of the pie, with the sum of all other rows shown together as “Other.” This is useful for comparing series aggregates over time, where series vs. total is more important than series vs. series. A typical question addressed by this view might be, “What’s the ratio of IPv4 to IPv6 in the past quarter?”
Note: If the view type is set to Pie Chart then when the query is run:
- Display and Sort By will be automatically set to Average.
- Historical Overlay (see Query Advanced Options) will, if on, result in a Historical Total row in the Data Explorer Table but not in the display of historical data on the pie chart.
The following views show the break-out of subsets within sets of data:
A Sankey diagram is used to see connections across the various dimensions that make up a key (see About Keys), such as how much of a given source IP’s traffic is going to each of its various destination IPs via various intermediate hops. It’s especially useful when visualizing these relationships across three or more related dimensions. Each dimension in the diagram is represented by a colored vertical bar, and the width of the gray bands between the bars is proportional to the quantity of traffic in common between those dimensions. Some fairly complex questions can be represented, such as, “For the traffic that is being sent from my network to the Netflix AS, what protocols and ports are being used, how much of it originated inside my network, and what was the source AS of the outside traffic?”
Note: Unless the group-by dimension is Destination BGP AS Path, you must have at least two group-by dimensions to use the Sankey view type.
A sunburst chart is similar to a Sankey in terms of visualizing relationships among dimensions in a key (see About Keys), but better for visualizing each dimension’s contribution to the total. The dimensions that make up the key definition are represented as concentric rings (from inner to outer) that are segmented into wedges representing the top rows returned from the query (segments with the same value for a given dimension are joined into one). The number of segments is determined by the visualization depth (see Query Advanced Options). A sunburst chart might be used to answer a question such as, “What’s the relative distribution of traffic volume by TOS/DSCP, and for each value, what are the destination protocols, ports, and IP/CIDR subnets?”
The following types of density-based views illustrate (in quite different ways) the volume of traffic:
Note: For information on the Matrix view, which is also part of this category, see Matrix View.
A gauge presents a single primary metric value without a time-series graph or a table, which is useful for presenting a top-level KPI or metric (e.g. total bits/sec in and out for the entire network) on a dashboard. To use the Gauge view type you must configure and enable bracketing (see Bracketing Pane Settings), including the following settings in the Bracketing Options dialog:
- The Use Last Datapoint Value switch determines which metric is displayed as the primary value (large type in left column), as well as which values are displayed in the secondary column at the right of the gauge.
- The Bracketing Ranges settings determine the background color of the gauge, which is the color assigned to the range into which the current value of the primary metric falls.
A Geo HeatMap is a zoomable map that displays the geographic distribution of a metric, for example the traffic volume associated with various physical locations. Each geography is colored according to its rank relative to other geos.
Map view supports only one group-by dimension at a time. Supported dimensions are shown in the following table:
|Network & Traffic Topology
|Network & Traffic Topology
||Ultimate Exit Site
||Ultimate Exit Site Country
Bracketing is not required, but if bracketing is enabled then the map colors will correspond to the bracketing ranges (see screenshot below).
Matrix views are covered in the following topics:
When the view type is set to Matrix, the display area will show a matrix, which is a table in which:
- The vertical axis (rows) represents the currently chosen group-by dimensions.
- The horizontal axis (columns) represents the currently chosen matrix-with dimensions.
- The values in the cells are expressed in the currently set metric.
- The number of rows/columns is determined by the Visualization depth setting (see Query Advanced Options), with an upper limit of 15.
The table in a matrix view is populated (behind the scenes) using three successive queries (where X represents the visualization depth):
- Get the top-X instances, measured by current metric (e.g. average pkts/sec), of the currently chosen group-by dimension (e.g. Src cities) across all currently selected devices. These become the rows of the matrix.
- Get the top-X instances, measured by current metric, of the currently chosen matrix-with dimensions (e.g. Dst cities) across all currently selected devices and filtered to include only the results of the first query. This becomes horizontal axis (columns).
- Get the traffic volume, in currently selected metric, between the group-by and matrix-with dimensions at each row/column intersection. These values populate the corresponding cells of the matrix.
- A matrix may include multiple group-by and/or matrix-with dimensions.
- In addition to the filtering described in query 2 above, all other filters specified in the Filters pane of the sidebar will also be applied to the queries.
- Variations in cell background color correspond to the scale at the right of the matrix itself.
In the following example, the metric is packets/second, Visualization depth is set to 8, and Display and Sort By is Average. The group-by dimension is Source: City and the matrix-with dimension is Destination: City, so the vertical axis shows the top 8 source cities as measured in average packets/second, and the horizontal axis shows the top 8 destination cities filtered by the source cities. The cells of the table are populated with average packets/second between the cities on the two axes.
To use the Matrix view type:
- Use the Group-by Dimensions selection box to choose one or more dimensions for the rows in the Matrix table (see Query Dimension Selectors and Using Multiple Dimensions).
- Set the view type to Matrix (see Chart Display UI). The Matrix-by Dimensions dialog opens (see Query Dimension Selectors).
- Use the dialog to select one or more dimensions for the columns in the Matrix table, then click the Matrix by Selected Dimensions button. The Matrix With selector appears in the Query pane of the sidebar.
- Set the remaining query options in the Query pane as well as the Time, Filters, and Devices panes.
- Click the Run Query button. The matrix will appear in the display area.
Once the matrix is rendered, you can click an individual cell to open a pop-up with a visualization of the corresponding data. You can select an alternate view type from the drop-down View Type menu at the upper right of the graph, and you can save the graph as a Saved View with the Save View button.
The following example shows a detail graph of the Los Angeles row of a matrix, rendered with a view type of Sankey diagram.
- When creating a detail graph from an individual cell, don’t click directly on the cell value (a Highcharts bug prevents the click from being recognized).
- The view type setting for a detail graph is sticky until the overall matrix is reset by applying sidebar changes, at which point detail graphs will once again be rendered using the default view type.
- The effect of the Total Overlay switch on a detail graph depends on view type (see Chart Display UI).
The table alone, with each metric represented by a column, is displayed without a graph or chart in the data display area. In this mode, the table can be exported (see Export Chart or Table) or added to a dashboard (see Add View to Dashboard). Table view can be useful for queries where there are many keys with relatively equal weight.