Data Explorer

The features and use of Kentik’s Core » Data Explorer module are discussed in the following topics:

Note: The functionality of Data Explorer is also available via API; see V5 Query API.

Data Explorer enables query-based forensic and real-time exploration of traffic flows across your network.
 

About Data Explorer

Data Explorer is Kentik's primary interface for manually exploring the network data (flow records, BGP, SNMP, etc.) stored in the main tables of the Kentik Data Engine (KDE; see KDE Tables). The Data Explorer UI enables you to define settings that are translated into queries that return “views” made up of tables and graphs about the traffic on specified data sources (routers, hosts, clouds, etc.) during a specified timespan.

Views are defined using controls in the right-side Query sidebar (see Query Sidebar Controls), whose visibility is toggled with the Query button (in the SubNav). These controls specify query parameters such as time range, data sources, and dimensions, and narrow the returned data by filtering on dozens of dimensions (see Dimensions Reference). Views can be saved and reloaded at a later time (see About Saved Views).

Results are displayed in the display area and are typically made up of both of the following:

 

Data Explorer Layout

Data Explorer is made up of the following main areas:

  • SubNav controls: Miscellaneous page-wide controls (see Explorer SubNav Controls).
  • Main display: An area for display of query results, which in most cases is made up of a visualization (see Data Explorer Chart) and an accompanying table (see Data Explorer Table).
  • Explorer Query sidebar: This vertical strip at the right of the page is shown/hidden by the Query button in the SubNav. The sidebar contains the controls used to specify the query whose results are returned in the display area. These query settings are detailed in Query Sidebar Controls.
 

Explorer SubNav Controls

The Data Explorer SubNav (silver strip across top of page) contains the following page-wide controls:

  • Refresh: Updates the currently displayed graph and table based on the current query settings.
  • Auto Update (down-pointing triangle icon): A drop-down menu from which you can set auto-update to Off (default) or select an interval at which the chart and table will automatically update (see Auto Update Mode):
    - When auto-update is on, the interval (60, 90, or 120 seconds) will be displayed in the SubNav to the left of the down-pointing triangle.
    - When auto-update is set to Off, the down-pointing triangle will be displayed alone (no auto-update indicator).
    Note: Auto update is available only when the Time Range selector in the Query sidebar is set to Lookback (see Time Pane).
  • Share: Opens the Share dialog to enable you to share the current view (see Sharing via the Share Dialog).
  • Actions: A drop-down menu with actions you can take involving the current view (see Data Explorer Actions).
  • Query: Toggle visibility of the right-side Query sidebar (see Query Sidebar Controls), which contains the controls used to specify the query whose results are returned in the display area.
 

Explorer Chart Display

The chart display area is used to display a visualization of the results of the current query. The display area is covered in the following topics:

The chart display area presents traffic data in a wide variety of time-series visualizations.
 
top  |  section

Chart Display UI

The chart display area contains a number of UI elements in addition to the visualization (chart) itself:

  • Query title (top left): An automatically derived name for the query whose visualization is displayed in the display area. The name is refreshed each time changes to the query are applied via the query sidebar.
  • Query settings summary (below the title): Information about the query whose results are currently displayed, including the time range, the number of data sources, and the number of filters.
    Note: To see and change the query settings, click the Query button (in SubNav) to open the Query sidebar.
  • Restore: A back-curved arrow icon that appears at the upper right of the chart when the page is in Period over Period mode and the Compare icon has been clicked in a table row (see Compare Periods). This button restores the chart from a period over period comparison back to its normal state.
  • Chart: A visualization of query results. The visualization type (see Chart View Types) is determined in the Visualization pane of the Query sidebar.
  • Resize handle (between the chart and the table): Drag up or down to change the vertical allocation of the display area between the chart and the table.
 
top  |  section

Data Explorer Chart

The Data Explorer chart is a visualization based on traffic whose flow records are stored in the Kentik Data Engine (KDE). The available visualization types are covered in Chart View Types.

Most (but not all) portal visualizations are based on the top records returned from the current query, as measured by the metric selected in the Metrics Pane of the Query sidebar. Many are based on time-series data, plotted over a time range (see Time Pane) represented on the horizontal axis, with the metric represented on the vertical axis.

Each plot in the visualization corresponds to a row in the table that appears under the chart (see Data Explorer Table). The number of table rows plotted in the chart depends on the visualization depth (see Advanced Query Settings). Each plotted row is indicated in the table with a colored disc.

The chart in the display area is dynamic:

  • Hover over any line in a line chart or area upper boundary in a time series stacked graph to see a popup containing data for a specific record at a specific point in time.
  • Drag and release in the chart to select a portion of the time range to zoom in on. When zooming:
    - the Time pane is automatically set to From + To with the start and end times defined based on the zoomed region;
    - the graph and table in the display area, along with its associated URL, update so that the zoomed range can be shared; and
    - a Zoom out button appears at the upper right of the graph, which can be clicked to zoom out to the previous time range.
  • Clicking on the colored disc at the left of any row in the table will hide the area or line corresponding to that row from the chart. The disc will turn into a circle. Click the circle to restore display of the line or area in the chart.

Note: If at least one AS group exists in your organization (see About AS Groups), the Use AS Groups switch is on in the Advanced pane of the Query sidebar, and a query's group-by dimensions include destination and/or source ASN, then results from all ASes in each AS group will be summed for top-X evaluation, graph plotting, and display in the results table (see Table AS Grouping).

 
top  |  section

Auto Update Mode

Auto Update mode allows you to optionally set an interval — 60, 90, or 120 seconds — at which the Data Explorer graph and table will automatically be refreshed. The countdown to refresh starts over each time you apply changes and the new result is returned in the display area. To enter Auto Update, choose the desired update interval from the drop-down Auto Update menu (see Explorer SubNav Controls). To exit, choose Off.

Note: Auto Update mode is available only when the Query sidebar's Time Pane is set to Lookback.

 

Data Explorer Table

The query results displayed in the chart display area are also presented as a table, which is covered in the following topics:

Note: The structure of the table when the Compare over previous period switch is on in the Time Pane is covered in Compare Periods.

The table provides a top-X list of the keys whose traffic matches the current query settings.
 
top  |  section

Explorer Table Overview

The Data Explorer table lists (in descending order) the values of selected metrics for the results returned from the current query. The last row (at bottom) will show the combined total of all records returned from the query. The table also doubles as a legend for the chart above; the rows that are marked with a colored disc at left are those that are plotted in the chart (the number of plotted rows is determined by the Visualization Depth setting; see Advanced Query Settings).

The location in which the table is displayed depends on the current view type (see Chart View Types):

  • When the view type is a graph or chart, the table is shown below the chart display area (see Explorer Chart Display).
  • When the view type is set to Table, the table alone is displayed without a graph or chart. In this mode, the table itself can still be exported (see Export Chart or Table) or added to a dashboard (see Add View to Dashboard).
  • The table is not shown when the view type is Matrix.

Notes:
- The number of rows in the results table that accompanies visualizations is dependent on the Visualization Depth setting and limited to a maximum of 350 unless the view type is Table (may include up to 50,000 rows depending on group-by dimension and metric).
- When displaying results from a compound query (see Compound Queries), multiple tables are used, each on a separate tab corresponding to one axis (left/right) and/or direction (positive/negative).

Table AS Grouping

If at least one AS group exists in your organization (see About AS Groups), the Use AS Groups switch is on in Advanced Query Settings, and a query's group-by dimensions include destination and/or source ASN, then results from all ASes in each AS group will be summed for top-X evaluation, graph plotting, and display in the results table. If a table row represents a group it will include a group icon at the left of the group name; click the icon or name to pop up a list of the ASes in the group.

 
top  |  section

Explorer Table Columns

The left-most columns of the table always correspond to the dimensions selected in the Dimensions pane of the Query sidebar (see Dimension Panes).

The other columns depend on the metrics currently selected in the Metrics Pane with either the drop-down Metrics menu or the Metrics dialog (see Metric Settings). The dialog allows you to customize which columns are shown, but if you don't customize then in most cases the default columns for a given metric will include the following:

  • Average
  • 95th Percentile
  • Max
  • Last Datapoint

Notes:
- The table will include a row (at bottom) for the combined total of all records returned from the query.
- If Historical Overlay is on (see Advanced Query Settings) the table will also include a row for historical values.
- The Last Datapoint column gives the value of the datapoint at the end of the time series represented in the chart/table.

 
top  |  section

Compare Periods

When the Compare over previous period switch is on in the Time Pane, the Data Explorer Table changes to a multi-tab structure used to compare periods ("period over period" comparison). The following tabs are included:

  • Current Period: Contains a top-X table showing traffic data for the time range specified with the Current control in the Time pane.
  • Previous Period: Contains a top-X table showing traffic data for a period specified with the Previous control in the Time pane.
  • Comparison Summary: Contains a top-X table giving comparisons of the traffic during the two periods.

The columns of the table on the Current Period tab and the Previous Period tab are identical. They include all of the columns present when the switch is off, plus the Compare column. When you click a Compare icon in this column, the visualization in the Data Explorer Chart will show only two plots, solid for the Current period and dashed for the Previous period. To restore the full chart you can either click the Compare icon again in the table or click the Restore icon (back-curved arrow) at the upper right of the chart.

In the table on the comparison tab, meanwhile, the only columns in common with the other tabs are the columns for the query's dimensions. The following other columns are unique to this tab:

  • Percentage change: The percentage by which the primary metric value for the current period differs from that of the previous period.
  • Current Average metric: The primary metric value for the current period.
  • Previous Average metric: The primary metric value for the previous period.
 
top  |  section

Explorer Table Actions

A number of actions can be taken in the table to change the display of information in the table and also the corresponding chart (see Data Explorer Chart):

  • Hide/show all: To toggle the visibility of all plots (areas or lines) in the chart, click the colored icon in the headings row of the table. When the plots are hidden every hide/show icon in the table will turn from a disc (filled) to a circle (hollow).
  • Hide/show plot: To toggle the visibility of an individual plot in the chart, click the colored disc at the left of the corresponding row in the table. When a plot is hidden its icon will turn from a disc to a circle. Click the circle to restore display of the corresponding plot in the chart.
  • Mute/solo plot in chart: Choose one of the following from the Action menu at the right of the row:
    - Only display this row: In the chart, show only the plot for this row (solo).
    - Display all rows but this one: In the chart, don't show the plot for this row (mute).
  • Add filter to query: Rerun the existing query with added filters based on this row's values for the query's dimensions (see Row Filter Actions).
  • Add filter and change dimension: Choosing Show by from the Action menu at the right of each table row results in two combined actions:
    - adds an Include filter as described in "Add filter to query" above;
    - opens a Show By Dimension dialog that is identical to the Group By Dimension selector described in Dimension Selectors. The dimensions selected in this dialog will replace the dimensions previously shown in the Dimensions pane of the Query sidebar.
  • Compare over (shown only when the Compare over previous period switch in the Time pane is off): Perform a "period over period" comparison (see Compare Periods) for the traffic data in this table row:
    - Hover over Compare over to open a drop-down from which you can select the period (hour, week, day, or month) with which previous traffic should be compared.
    - The Compare over previous period switch will be turned on in the Time pane.
    - The chart will show a plot for current (solid) and previous (dashed) traffic over the currently specified time range.
    - The table will include Current Period, Previous Period, and Comparison Summary tabs.

Row Filter Actions

The filter actions for an individual row will rerun the existing query but with added filters that are based on the value of this row's dimensions:

  • Include this in a new query: The filter will include matching traffic using either the = or LIKE operator.
  • Exclude this in a new query: The filter will exclude matching traffic using either the <> or NOT LIKE operator.

The operation of the control depends on the number of dimensions in the query:

  • If the query has one dimension, a filter to include/exclude that dimension can be applied directly from the table row's drop-down Actions menu.
  • If the query has multiple dimensions, then when you hover over the include/exclude option in the Action menu a submenu will appear that lists each dimension individually:
    - To apply filters for all of the dimensions, click in the menu.
    - To apply a filter for just one dimension, click on that dimension in the submenu.

Filters added via a row's Actions menu will appear in the Filtering Pane in the Query sidebar.

 

Data Explorer Actions

The Actions menu (in SubNav) provides multiple ways to use query results outside of the Data Explorer module itself (e.g. save to a panel on a Dashboard or share with other Kentik users). These capabilities are covered in the following topics:

Note: Actions related to sharing via link, email, or subscription are accessed via the SubNav’s Share button (see Sharing via the Share Dialog).

 
top  |  section

Export Chart or Table

The Export action on the Actions menu shows the Export submenu, which allows you to export the information represented by the chart and/or table in the display area to an external file (PDF, SVG, or CSV). The available export options are detailed in Portal Export Options.

Note: If Data Explorer is currently displaying the results of a compound query (see Compound Queries), then the Export submenu will list the Chart Data and Legend Data options individually for each of the axes (e.g. positive and negative) of the current chart.

After you choose what to export, you'll see a notification explaining that the file is being prepared. When the file is ready another notification will give a link with which you can download the file.

 
top  |  section

Add to Observation Deck

This action immediately takes you to your Observation Deck, where the visualization displayed in Data Explorer at the time you chose the action will now appear as a widget. To undo, click the kebab menu (vertical ellipsis) at the upper right of the widget, then choose Remove.

 
top  |  section

Create Saved View

Create Saved View opens the Add Saved View dialog (see Saved View Dialogs), which you use to set the properties of a new saved view (see About Saved Views). Once created, a Saved View can be accessed from the Saved Views tab of the Library (Core » Library; see Library).

 
top  |  section

Create Alert Policy

The Create Alert Policy action takes you to the Add Query-based Policy page, where the criteria currently specified in Data Explorer's Query sidebar (dimensions, metrics, filters) will be used as the basis for creating a query-based policy (see Policy Types).

Note: If the settings in Data Explorer at the time you choose the action aren't compatible with the requirements of an alert policy (e.g. no dimensions are selected) then choosing this action will result in display of the Unsupported Alert Policy Settings dialog. Click Cancel to return to the main Data Explorer page.

 
top  |  section

Add View to Dashboard

The Actions menu includes two options that enable you to add a the current Explorer view to a panel on a dashboard:

  • Add to New Dashboard: Opens the Add Dashboard dialog (see Add Dashboard from Explorer). Specify settings for the new dashboard, then click the Add Dashboard button. The new dashboard will open and will display the new panel.
  • Add to Existing Dashboard: Opens the Add View Panel dialog (see View Panel Dialog Settings). In the Dashboard pane, choose the existing dashboard to which you want to add the new panel, then click the Add View Panel button. The dashboard will open with the panel that you just added, and a notification will confirm that the new panel was created.
 
top  |  section

Preview as Tenant

This action opens a submenu from which you can choose an MKP tenant, after which the settings of the Data Explorer view are modified to show the view as it would appear to that tenant.

 
top  |  section

Show API Call

The Show API Call action provides access to a set of dialogs that contain code (cURL or JSON) that can be used to return the current view (content of the display area) from the Kentik Query API. The code in these dialogs can be copied and pasted to enable access to Kentik functions programmatically rather than via the portal.

Query API code is accessed via the following dialogs, which each display code in a text field from which it can be copied either manually or using the Copy to Clipboard button:

  • For Chart (cURL): Opens a dialog containing the cURL for returning an image of the Data Explorer's current chart from a CLI such as Terminal. Equivalent to the Query Chart Method of the Kentik Query API.
  • For Data (cURL): Opens a dialog containing the cURL for returning the Data Explorer's current table from a CLI such as Terminal. Equivalent to the Query Data Method of the Kentik Query API.
  • JSON Input: Opens a dialog containing JSON that can be used in the Query Data Method.

When using the cURL, the following placeholders must be replaced with the appropriate information:

  • Replace <YOUR_EMAIL_HERE> with the email address used to register you as a Kentik user.
  • Replace <YOUR_API_TOKEN_HERE> with your API token, which you'll find on your User Profile.
  • If the cURL is for a chart, replace <CHOOSE ONE OF:pdf|png> with the desired file type.
 
top  |  section

Reset to Default Query

This action sets all settings on the Query sidebar (Visualization, Data Sources, Dimensions, etc.) to their default settings, enabling you to quickly define a different query without individually checking settings in each of the sidebar's panes.

© 2014- Kentik
In this article:
×