Siren Platform User Guide

Creating a visualization

  1. Click Visualize in the side navigation.
  2. Click Create new visualization or the + button.
  3. Choose the visualization type. For more information, see Visualization types.
  4. Specify a search query to retrieve the data for your visualization:

    • To enter new search criteria, select the index pattern for the indices that contain the data you want to visualize. This opens the visualization builder with a wildcard query that matches all the documents in the selected indices.
    • To build a visualization from a saved search, click the name of the saved search you want to use. This opens the visualization builder and loads the selected query.


      When you build a visualization from a saved search, any subsequent modifications to the saved search are automatically reflected in the visualization. To switch off automatic updates, you can disconnect a visualization from the saved search.

  5. In the visualization builder, choose the aggregation for the visualization’s y-axis. For more information, see Y-axis aggregations.
  6. For the visualizations x-axis, select a bucket aggregation. For more information, see X-axis aggregations.

For example, if you are indexing Apache server logs, you could build a horizontal bar chart that shows the distribution of incoming requests by geographic location by specifying a term's aggregation on the geo.src field:


The y-axis shows the number of requests received from each country, and the countries are displayed across the x-axis.

Bar, line, or area chart visualizations use metrics for the y-axis and buckets for the x-axis. Buckets are analogous to SQL GROUP BY statements. Pie charts, use the metric for the slice size and the bucket for the number of slices.

You can further break down the data by specifying sub aggregations. The first aggregation determines the data set for any subsequent aggregations. Sub aggregations are applied in order—you can drag the aggregations to change the order in which they are applied.

For example, you could add a terms sub aggregation on the geo.dest field to a vertical bar chart to see the locations those requests were targeting.


For more information about working with sub aggregations, see Kibana, Aggregation Execution Order, and You.

Visualization types
Table 4. Siren visualizations

Siren Box Plot

Display data in an x/y chart using upper and lower percentiles.

Bubble Diagram

Show data and parent/child relationships as bubbles.

Enhanced Search Results

Show the documents matched by a query on an Elasticsearch index with enhanced features.

Graph browser

Display Elasticsearch documents as nodes and Siren Investigate relations as links of a graph.


A visualization in which you can switch between other visualizations at will.

Query Viewer

Display the results from multiple queries on external datasources using query templates.

Scatter Plot

Show data in an x/y graph as scattered points.

Table 5. Siren relational visualizations

Relational Filter3.10.2. Relational filter (legacy)

(Deprecated) Configure the relational buttons to navigate between dashboards.

Relational Navigator

Provide navigation between relationally connected dashboards.

Automatic Relational Filter3.10.2. Relational filter (legacy)

Automatically build the relations between index patterns and entities and generate relational filter buttons.3.10.2. Relational filter (legacy)

Table 6. Basic chart visualizations

Line, Area and Bar charts

Compare different series in X/Y charts.

Heat maps

Shade cells within a matrix.

Pie chart

Display each source’s contribution to a total.

Table 7. Data visualizations

Data table

Display the raw data of a composed aggregation.


Display a single number.

Goal and Gauge

Display a gauge.

Table 8. Map visualizations

Coordinate map

Associate the results of an aggregation with geographic locations.

Region map

Thematic maps where a shape’s color intensity corresponds to a metric’s value.

Table 9. Time series visualizations


Compute and combine data from multiple time series data sets.

Time Series Visual Builder

Visualize time series data using pipeline aggregations.

Table 10. Other visualizations

Tag cloud

Display words as a cloud in which the size of the word correspond to its importance

Markdown widget

Display free-form information or instructions.

Y-axis aggregations
Metric aggregations
The count aggregation returns a raw count of the elements in the selected index pattern.
This aggregation returns the average of a numeric field. Select a field from the box.
The sum aggregation returns the total sum of a numeric field. Select a field from the box.
The min aggregation returns the minimum value of a numeric field. Select a field from the box.
The max aggregation returns the maximum value of a numeric field. Select a field from the box.
Standard Deviation
The extended stats aggregation returns the standard deviation of data in a numeric field. Select a field from the box.
Unique Count
The cardinality aggregation returns the number of unique values in a field. Select a field from the box.
The Median (50th percentile) aggregation.
The percentile aggregation divides the values in a numeric field into percentile bands that you specify. Select a field from the box, then specify one or more ranges in the Percentiles fields. Click the X to remove a percentile field. Click + Add to add a percentile field.
Percentile Rank
The percentile ranks aggregation returns the percentile rankings for the values in the numeric field you specify. Select a numeric field from the box, then specify one or more percentile rank values in the Values fields. Click the X to remove a values field. Click +Add to add a values field.
Top Hit
The Top hit aggregation.
Geo Centroid
The Geo centroid aggregation.
Parent pipeline aggregations

For each of the parent pipeline aggregations you have to define the metric for which the aggregation is calculated. That could be one of your existing metrics or a new one. You can also nest these aggregations, for example to produce a third derivative.

The derivative aggregation calculates the derivative of specific metrics.
Cumulative Sum
The cumulative sum aggregation calculates the cumulative sum of a specified metric in a parent histogram
Moving Average
The moving average aggregation will slide a window across the data and show the average value of that window
Serial Diff
The serial differencing is a technique where values in a time series are subtracted from itself at different time lags or period
Sibling pipeline aggregations

Just like with parent pipeline aggregations you need to provide a metric for which to calculate the sibling aggregation. On top of that you also need to provide a bucket aggregation which will define the buckets on which the sibling aggregation will run

Average Bucket
The avg bucket calculates the (mean) average value of a specified metric in a sibling aggregation
Sum Bucket
The sum bucket calculates the sum of values of a specified metric in a sibling aggregation
Min Bucket
The min bucket calculates the minimum value of a specified metric in a sibling aggregation
Max Bucket
The max bucket calculates the maximum value of a specified metric in a sibling aggregation
X-axis aggregations
Date Histogram
A date histogram is built from a numeric field and organized by date. You can specify a time frame for the intervals in seconds, minutes, hours, days, weeks, months, or years. You can also specify a custom interval frame by selecting Custom as the interval and specifying a number and a time unit in the text field. Custom interval time units are s for seconds, m for minutes, h for hours, d for days, w for weeks, and y for years. Different units support different levels of precision, down to one second. Intervals are labeled at the start of the interval, using the date-key returned by Elasticsearch. For example, the tool tip for a monthly interval will show the first day of the month.
A standard histogram is built from a numeric field. Specify an integer interval for this field. Select the Show empty buckets check box to include empty intervals in the histogram.
With a range aggregation, you can specify ranges of values for a numeric field. Click Add Range to add a set of range endpoints. Click the red (x) symbol to remove a range.
Date Range
A date range aggregation reports values that are within a range of dates that you specify. You can specify the ranges for the dates using date math expressions. Click Add Range to add a set of range endpoints. Click the red (/) symbol to remove a range.
IPv4 Range
The IPv4 range aggregation enables you to specify ranges of IPv4 addresses. Click Add Range to add a set of range endpoints. Click the red (/) symbol to remove a range.
A terms aggregation enables you to specify the top or bottom n elements of a given field to display, ordered by count or a custom metric.
You can specify a set of filters for the data. You can specify a filter as a query string or in JSON format, just as in the Discover search bar. Click Add Filter to add another filter. Click Label (fa-tag.png) to open the label field, where you can type in a name to display on the visualization.
Significant Terms
Displays the results of the experimental significant terms aggregation. The value of the Size parameter defines the number of entries this aggregation returns.
The geohash aggregation displays points based on the geohash coordinates.
External query terms filter
A Siren Investigate aggregator where one can define one or more buckets based on some record value (typically a primary key) matching the results of an external query. Multiple such buckets, corresponding to multiple queries, can be defined. For more information see the query menu in the configuration. This displays the results of the external query terms filter aggregation.
Customizing aggregations

Enter a string in the Custom Label field to change the display label.

You can customize the colors of your visualization by clicking the color dot next to each label to display the color picker.

An array of color dots that users can select

Enter a string in the Custom Label field to change the display label.

You can click the Advanced link to display more customization options for your metrics or bucket aggregation:

Exclude Pattern
Specify a pattern in this field to exclude from the results.
Include Pattern
Specify a pattern in this field to include in the results.
JSON Input
A text field where you can add specific JSON-formatted properties to merge with the aggregation definition, as in the following example:
{"script" : "doc['grade'].value * 1.2"}


In Elasticsearch releases 1.4.3 and later, this functionality requires you to enable dynamic Groovy scripting.

The availability of these options varies depending on the aggregation you choose.

Visualization Spy

To display the raw data behind the visualization, click Spy Open (fa-chevron-circle-up.png) in the bottom left corner of the container. The visualization spy panel will open.

Use the select input (highlighted) to view detailed information about the raw data.

Spy panel.

Table. A representation of the underlying data, presented as a paginated data grid. You can sort the items in the table by clicking the table headers at the top of each column.

Request. The raw request used to query the server, presented in JSON format.

Response. The raw response from the server, presented in JSON format.

Statistics. A summary of the statistics related to the request and the response, presented as a data grid. The data grid includes the query duration, the request duration, the total number of records found on the server, and the index pattern used to make the query.

Debug. The visualization saved state presented in JSON format.

To export the raw data behind the visualization as a comma-separated-values (CSV) file, click either the Raw or Formatted links at the bottom of the detailed information tabs. A raw export contains the data as it is stored in Elasticsearch. A formatted export contains the results of any applicable field formatters.

Search results

    No results found