HI Chris,
To view a context, you can use the command "xsDisplayContext". In the example you have above, you would run this search command:
| xsDisplayContext 'count_by_signature_1h' in 'ids_attacks' by 'xy signature'
This uses the standard charting that comes with Splunk.
If you'd like to see this using d3, there are a set of dashboards that come with Extreme Search, but that may be turned off by default. That chart provides a better visual experience. To access these dashboards, go to the Extreme Search app, then select the "Conceptual Search" menu, then "Contexts". One of your choices is "Display Context". WHen accessing this dashboard, you select SA-NetworkProtection as the scope. The rest of the dropdowns will populate correctly and you should be able to view your context(s). Note that there should be a class for each signature (values of the signature field) as well as the "Default Class".
If this dashboard is not visible, you can change this by removing the 'isDashboard="false"' entry in the view. That can be done by editing the dashboard via the UI or the .xml file on disk. The dashboards can be found in $SPLUNK_HOME/etc/apps/Splunk_SA_ExtremeSearch/default/data/ui/views. If you modify these on the disk, make sure you "refresh" using the url https://servername:8000/debug/refresh or just restart Splunk.
You are correct in that the Information message from xsWhere means that the class does not yet exist. When this occurs, xsWhere uses the Default class for any event with a value of signature that doesn't have an associated Context.
To view the list of contexts (by class) that exist, run the following search command:
| xsListContexts FROM count_by_signature_1h IN ids_attacks | sort Class
We are working on a new app (to be called XSV, which stands for XS Visualization) that provides a powerful life-cycle view of Containers, Contexts, Classes and Concepts. That should be released soon on Splunkbase. Once it's available I will update this answer.
Please let me know if you have any other questions. I'm happy to help.
Regards,
Mike
... View more