Dashboards & Visualizations

How to add a MLTK Visualization to a Splunk dashboard?

sebastien07
Engager

I would like to add an outliers' chart from the Machine learning visualizations to my splunk dashboard. The visualization itself is not available in the dashboard studio, and I can't find any documentations for it. Running my query in the search tab works fine because it detects what visualization i want to use automatically.

My query: 

 

 

 

index=xxx sourceServiceName="xxx" cn1="xxx"
| bucket _time span=1h
| stats count by _time 
| sort - count 
| eventstats median("count") as median  
| eval absDev=(abs('count'-median)) 
| eventstats median(absDev) as medianAbsDev  
| eval lowerBound=(median-medianAbsDev*exact(8)), upperBound=(median+medianAbsDev*exact(8)) 
| eval isOutlier=if('count' < lowerBound OR 'count' > upperBound, 1, 0)  
| fields _time, "count", lowerBound, upperBound, isOutlier, *

 

 

 

 

I tried replacing fields with "table" but wouldn't fix it. Any help is appreciated.

Labels (4)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

Try this

<viz type="Splunk_ML_Toolkit.OutliersViz">

View solution in original post

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Use classic SimpleXML dashboards or wait until Studio catches up - you could be waiting for some time though

0 Karma

sebastien07
Engager

Also would like to try that, but i can't find the name of the outlier's chart to use for the SimpleXML

 
 
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Try this

<viz type="Splunk_ML_Toolkit.OutliersViz">
0 Karma

sebastien07
Engager

I think this could work. I'm not used to working with the XML editor for dashboards.
Any idea why this would fail to spit out the results?

<dashboard version="1.1">
<label>test-webtraffic</label>
  <row>
    <chart> 
      <search>
        <query>index=xxx sourceServiceName="xxx" cn1="xxx" | bucket _time span=1h | stats count by _time | sort - count | eventstats median("count") as median | eval absDev=(abs('count' -median)) | eventstats median(absDev) as medianAbsDev | eval lowerBound=(median-medianAbsDev*exact(8)), upperBound=(median+medianAbsDev*exact(8)) | eval isOutlier=if('count' &lt; lowerBound OR 'count' &gt; upperBound, 1, 0) | fields _time, "count", lowerBound, upperBound, isOutlier, *
        </query>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </search>
      <viz type="Splunk_ML_Toolkit.OutliersViz"></viz>
    </chart>  
  </row>
</dashboard>
0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...