topic Re: Highlight data points on timechart in Dashboards & Visualizations

How to highlight data points on timechart?

POR160893 — Thu, 20 Apr 2023 17:05:02 GMT

Hi,

I have the following query to detect outliers in eps:
index=_internal sourcetype=splunkd component=metrics group=per_source_thruput series="*syslog-ng*" host=*hf*
| eval hfgroup=substr(host, 0, 5), eps=eps/2, NodeName=UPPER(mvindex(split(host, "."), 0))
| lookup Cybersecurity_Infrastructure NodeName OUTPUT NodeID
| bucket _time span=1h
| timechart span=1h sum(eps) as Eps
| eval HourOfDay=strftime(_time, "%H")
| eval BucketMinuteOfHour=strftime(_time, "%M")
| eval DayOfWeek=strftime(_time, "%A")
| streamstats avg(Eps) as avg stdev(Eps) as stdev by HourOfDay BucketMinuteOfHour DayOfWeek
| eval AbsDev = abs(Eps - avg)
| streamstats avg(AbsDev) as MAD stdev(AbsDev) as MADStdev by HourOfDay, BucketMinuteOfHour, DayOfWeek
| eval UpperBound = avg + (3 * MAD)
| eval LowerBound = avg - (3 * MAD)
| eval isOutlier=if(Eps > UpperBound OR Eps < LowerBound, "true", "false")
| where isOutlier="true"

However, I need the output to be just 1 trend line, representing Time, with outliers represented as red dots at the time of occurence.

Currently, I am receiving all these unnecessary ;ine with no red dots representing outliers:

Can you please help?

Many thanks!

Re: Highlight data points on timechart

somesoni2 — Wed, 19 Apr 2023 13:49:03 GMT

Give this a try

index=_internal sourcetype=splunkd component=metrics group=per_source_thruput series="*syslog-ng*" host=*hf* | eval hfgroup=substr(host, 0, 5), eps=eps/2, NodeName=UPPER(mvindex(split(host, "."), 0)) | lookup Cybersecurity_Infrastructure NodeName OUTPUT NodeID | bucket _time span=1h | timechart span=1h sum(eps) as Eps | eval HourOfDay=strftime(_time, "%H") | eval BucketMinuteOfHour=strftime(_time, "%M") | eval DayOfWeek=strftime(_time, "%A") | streamstats avg(Eps) as avg stdev(Eps) as stdev by HourOfDay BucketMinuteOfHour DayOfWeek | eval AbsDev = abs(Eps - avg) | streamstats avg(AbsDev) as MAD stdev(AbsDev) as MADStdev by HourOfDay, BucketMinuteOfHour, DayOfWeek | eval UpperBound = avg + (3 * MAD) | eval LowerBound = avg - (3 * MAD) | eval Outlier_Eps=if(Eps > UpperBound OR Eps < LowerBound, Eps, null()) | table _time Outlier_Eps

Re: Highlight data points on timechart

POR160893 — Wed, 19 Apr 2023 14:12:31 GMT

Hi,

This did not work as I need a continuous line representing Time with ONLY outliers represented as points on this line and these Outlier points must be red. That is what the stakeholder has requested.

Your query gave a discontinuous line with blue dots for Outliers:

Can you please help?

Re: Highlight data points on timechart

POR160893 — Thu, 20 Apr 2023 07:59:56 GMT

@richgalloway @ITWhisperer, have either of you any help or advice on how I can alter this query to have a single timechart trend line of time with only outlier points mark red to be shown on the outputted chart?

Many thanks for your help!

Re: Highlight data points on timechart

ITWhisperer — Thu, 20 Apr 2023 08:58:11 GMT

Have you consider the Outlier Chart viz?

You may be able to change the colour of the outliers with CSS (or give your stakeholder some rose-tinted glasses so everything appears to be red!) 😀