Dashboards & Visualizations

How to add a MLTK Visualization to a Splunk dashboard?


I would like to add an outliers' chart from the Machine learning visualizations to my splunk dashboard. The visualization itself is not available in the dashboard studio, and I can't find any documentations for it. Running my query in the search tab works fine because it detects what visualization i want to use automatically.

My query: 




index=xxx sourceServiceName="xxx" cn1="xxx"
| bucket _time span=1h
| stats count by _time 
| sort - count 
| eventstats median("count") as median  
| eval absDev=(abs('count'-median)) 
| eventstats median(absDev) as medianAbsDev  
| eval lowerBound=(median-medianAbsDev*exact(8)), upperBound=(median+medianAbsDev*exact(8)) 
| eval isOutlier=if('count' < lowerBound OR 'count' > upperBound, 1, 0)  
| fields _time, "count", lowerBound, upperBound, isOutlier, *





I tried replacing fields with "table" but wouldn't fix it. Any help is appreciated.

Labels (4)
0 Karma
1 Solution


Try this

<viz type="Splunk_ML_Toolkit.OutliersViz">

View solution in original post

0 Karma


Use classic SimpleXML dashboards or wait until Studio catches up - you could be waiting for some time though

0 Karma


Also would like to try that, but i can't find the name of the outlier's chart to use for the SimpleXML

0 Karma


Try this

<viz type="Splunk_ML_Toolkit.OutliersViz">
0 Karma


I think this could work. I'm not used to working with the XML editor for dashboards.
Any idea why this would fail to spit out the results?

<dashboard version="1.1">
        <query>index=xxx sourceServiceName="xxx" cn1="xxx" | bucket _time span=1h | stats count by _time | sort - count | eventstats median("count") as median | eval absDev=(abs('count' -median)) | eventstats median(absDev) as medianAbsDev | eval lowerBound=(median-medianAbsDev*exact(8)), upperBound=(median+medianAbsDev*exact(8)) | eval isOutlier=if('count' &lt; lowerBound OR 'count' &gt; upperBound, 1, 0) | fields _time, "count", lowerBound, upperBound, isOutlier, *
      <viz type="Splunk_ML_Toolkit.OutliersViz"></viz>
0 Karma
Get Updates on the Splunk Community!

3 Ways to Make OpenTelemetry Even Better

My role as an Observability Specialist at Splunk provides me with the opportunity to work with customers of ...

What's New in Splunk Cloud Platform 9.2.2406?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2406 with many ...

Enterprise Security Content Update (ESCU) | New Releases

In August, the Splunk Threat Research Team had 3 releases of new security content via the Enterprise Security ...