Dashboards & Graphs

Dashboards & Graphs

RunReveal’s dashboard system enables you to create custom visualizations of your security data using SQL queries against your ClickHouse tables. Build dashboards that surface critical insights and track key metrics in real-time.

Getting Started: Navigate to Dashboards → Graphs to create your first visualization, or go directly to Dashboards → Create Layout to build a complete dashboard.

Dashboard Overview

Dashboard Components

Your RunReveal dashboards consist of three hierarchical components:

  1. Graphs — Individual visualizations powered by SQL queries.
  2. Panels — Containers that hold and size your graphs.
  3. Dashboard Layouts — The overall arrangement of panels.

Available Visualization Types

Time-Based Visualizations

Line Chart

  • Best for continuous trends over time
  • Shows changes in metrics like event rates, response times
  • Supports multiple data series

Area Chart

  • Renders as a filled line for volume trends
  • Useful for cumulative or stacked metrics over time

Column Chart

  • Perfect for time-bucketed data
  • Compares values across time periods
  • Supports stacking for multi-series data
-- Example: Events over time (best practice time bounds)
SELECT
  toStartOfInterval(receivedAt, INTERVAL {interval:Int64} SECOND) AS time_bucket,
  count() AS event_count
FROM runreveal.logs
WHERE receivedAt BETWEEN {from:DateTime} AND {to:DateTime}
GROUP BY time_bucket
ORDER BY time_bucket

Creating Graphs

Dashboard Layout Editor

1) Navigate to Graph Creation

Go to Dashboards → Graphs → Create Graph or click the edit layout button on an existing dashboard.

2) Write Your SQL Query

Use RunReveal’s query parameters for dynamic time ranges:

SELECT
  toStartOfInterval(receivedAt, INTERVAL {interval:Int64} SECOND) AS time_bucket,
  count() AS events,
  sourceType
FROM runreveal.logs
WHERE receivedAt BETWEEN {from:DateTime} AND {to:DateTime}
GROUP BY time_bucket, sourceType
ORDER BY time_bucket

Available Parameters

  • {from:DateTime} — Start time from the time picker
  • {to:DateTime} — End time from the time picker (inclusive)
  • {interval:Int64} — Time interval in seconds (auto-calculated)

3) Configure Visualization

  • Chart Type: Select from supported types (Line, Column, Area, Bar, Pie, KPI; Scatter optional).
  • X Axis Column: Choose your X-axis data column.
  • Y Axis Column: Choose your Y-axis data column.
  • Stack Column: (Optional) Column for data stacking.
  • Axis Titles: Add descriptive labels.

4) Test and Save

Click Run Query to preview your visualization, adjust as needed, then save with a descriptive name.

Creating Dashboards

Graph Editor

1) Create Dashboard Layout

Navigate to Dashboards → Create Layout and provide a Dashboard Name.

2) Add Panels

Click Add Panel to create visualization containers. Choose from panel sizes:

  • xs — Extra small
  • sm — Small
  • md — Medium
  • lg — Large
  • xl — Extra large

3) Assign Graphs to Panels

  • Select existing graphs from the dropdown.
  • Or create new graphs directly in the panel editor.
  • Configure panel-specific settings.

4) Arrange and Save

Panels automatically arrange in a responsive grid. Save your dashboard when complete.

Stacking Options

Control how multi-series data is displayed:

Stack TypeDescriptionUse Case
Default/NoneSeries rendered independentlyCompare absolute values
StackedSeries add on top of each otherSee cumulative totals
Stacked 100%Normalized to 100%Compare proportions over time

Stacking is supported for: Bar/Column, Area, and Line charts.

Query Examples

Here are practical examples of common dashboard visualizations with complete SQL queries and configuration details.

Average Bytes Per Event

Stat Card

Monitor data processing efficiency with a key performance indicator. This query calculates the average bytes per event processed by your pipeline, helping you track data volume trends and optimize processing. Stat cards are perfect for KPIs because they display a single, important metric prominently on your dashboard.

Average Bytes Per Event

SQL Query

SELECT
toStartOfInterval(timestamp, INTERVAL 15 MINUTE) as time_bucket,
sum(CASE WHEN series = 'pipeline_entered_bytes' THEN value ELSE 0 END) /
sum(CASE WHEN series = 'pipeline_entered' THEN value ELSE 0 END) as avg_bytes_per_event
FROM external_metrics
WHERE timestamp >= {from:DateTime}
AND timestamp <= {to:DateTime}
AND series IN ('pipeline_entered', 'pipeline_entered_bytes')
GROUP BY time_bucket
HAVING sum(CASE WHEN series = 'pipeline_entered' THEN value ELSE 0 END) > 0
ORDER BY time_bucket ASC;

Configuration

Chart TypeStat Card
X Axistime_bucket
Y Axisavg_bytes_per_event
Stack TypeDefault

Top 10 IPs Per Hour

Column Chart

Identify the most active IP addresses in your network traffic. This query uses window functions to rank IPs by activity within each hour, then filters to show only the top 10. Column charts with stacking are ideal for this because they show both the total volume and the relative contribution of each IP address over time.

Top 10 IPs Per Hour

SQL Query

SELECT
srcIP,
c,
t
FROM (
SELECT
srcIP,
count() as c,
toStartOfHour(receivedAt) as t,
row_number() OVER (
PARTITION BY toStartOfHour(receivedAt)
ORDER BY count() DESC
) as rn
FROM logs
WHERE receivedAt BETWEEN {from:DateTime} AND {to:DateTime}
GROUP BY t, srcIP
) ranked
WHERE rn <= 10
ORDER BY t, c DESC;

Configuration

Chart TypeColumn Chart
X Axist
Y Axisc
Stack TypeStacked
Stack BysrcIP

Top Events Today

Bar Chart

Get a quick overview of the most frequent events in your system over the last 24 hours. This query uses CTEs to first filter recent events, then group and rank them by frequency. Bar charts are perfect for this type of categorical comparison because they make it easy to compare values across different event types and see the relative frequency at a glance.

Top Events Today

SQL Query

WITH "__subquery0" AS (
SELECT * FROM "logs"
WHERE "receivedAt" > minus(CURRENT_TIMESTAMP(), toIntervalDay(1))
),
"__subquery1" AS (
SELECT "sourceType" AS "sourceType",
 "eventName" AS "eventName",
 count() AS "c"
FROM "__subquery0"
GROUP BY "sourceType", "eventName"
),
"__subquery2" AS (
SELECT * FROM "__subquery1"
ORDER BY "c" DESC NULLS LAST
LIMIT 10
)
SELECT *,
'barchart' as "render_type",
'stacked' as "render_prop_kind"
FROM "__subquery2";

Configuration

Chart TypeBar Chart
X AxissourceType
Y Axisc
Stack TypeStacked
Stack ByeventName

Top GCP Events

Column Chart

Track the most frequent Google Cloud Platform events over time to monitor API usage patterns and identify peak activity periods. This query groups events by time buckets and event names, making it easy to see both temporal trends and the relative frequency of different GCP operations. Column charts with stacking are ideal here because they show both the total event volume and the breakdown by event type over time.

Top GCP Events

SQL Query

SELECT
toStartOfInterval(receivedAt, INTERVAL {interval:Int64} SECOND) as time_bucket,
eventName,
COUNT(*) as event_count
FROM gcp_logs
WHERE receivedAt > {from:DateTime}
AND receivedAt <= {to:DateTime}
GROUP BY time_bucket, eventName
ORDER BY time_bucket ASC, eventName;

Configuration

Chart TypeColumn Chart
X Axistime_bucket
Y Axisevent_count
X Axis TitleTime Bucket
Y Axis TitleEvent Count
Stack TypeStacked
Stack ByeventName

Creating Graphs with AI Chat

RunReveal’s AI chat makes it easy to create custom graphs using plain English. Simply describe what you want to see and the AI will generate the SQL query and configuration for you.

Template

Use this template to create graphs with natural language:

Create a graph showing event volumes for [SOURCE_NAME] using datetime and interval best practices. 

Specifically, I want to see:
- Event volumes grouped by [FIELD_TO_GROUP_BY]
- Time range: [TIME_RANGE]
- Time interval: [INTERVAL]
- Visualization type: [GRAPH_TYPE]

[Optional: Additional filters]

Example

Here’s a real example you can try:

Create a graph for okta_logs showing event counts by eventType over the last 7 days using hourly intervals as a line chart.

The AI will generate the appropriate SQL query with proper time filtering, grouping, and visualization configuration automatically.

Best Practices

Query Optimization

  1. Always use time filters — Leverage {from:DateTime} and {to:DateTime} with BETWEEN or >=/<= operators.
  2. Limit result sets — Add LIMIT for top‑N queries.
  3. Use efficient aggregations — Prefer ClickHouse‑optimized functions:
    • toStartOfInterval() for time bucketing
    • countIf() for conditional counting
    • sumIf() for conditional sums

Time Intervals

RunReveal automatically calculates appropriate intervals based on your time range:

-- Let RunReveal handle interval sizing
toStartOfInterval(receivedAt, INTERVAL {interval:Int64} SECOND)
 
-- Or use fixed intervals for consistency
toStartOfHour(receivedAt)   -- Hourly buckets
toStartOfDay(receivedAt)    -- Daily buckets
toStartOfWeek(receivedAt)   -- Weekly buckets

Live Features

Real-Time Updates

  • Graphs refresh automatically based on your time picker settings.
  • Live data updates without manual refresh.
  • Consistent data across all panels in a dashboard.

Interactivity

  • Hover tooltips — See detailed values on hover.
  • Time range selection — Integrated with global time picker.
  • Responsive design — Adapts to different screen sizes.
Jupyter NotebooksReference