Re: Highlight data points on timechart

POR160893 · ‎04-19-2023

Hi,

I have the following query to detect outliers in eps:
index=_internal sourcetype=splunkd component=metrics group=per_source_thruput series="*syslog-ng*" host=*hf*
| eval hfgroup=substr(host, 0, 5), eps=eps/2, NodeName=UPPER(mvindex(split(host, "."), 0))
| lookup Cybersecurity_Infrastructure NodeName OUTPUT NodeID
| bucket _time span=1h
| timechart span=1h sum(eps) as Eps
| eval HourOfDay=strftime(_time, "%H")
| eval BucketMinuteOfHour=strftime(_time, "%M")
| eval DayOfWeek=strftime(_time, "%A")
| streamstats avg(Eps) as avg stdev(Eps) as stdev by HourOfDay BucketMinuteOfHour DayOfWeek
| eval AbsDev = abs(Eps - avg)
| streamstats avg(AbsDev) as MAD stdev(AbsDev) as MADStdev by HourOfDay, BucketMinuteOfHour, DayOfWeek
| eval UpperBound = avg + (3 * MAD)
| eval LowerBound = avg - (3 * MAD)
| eval isOutlier=if(Eps > UpperBound OR Eps < LowerBound, "true", "false")
| where isOutlier="true"

However, I need the output to be just 1 trend line, representing Time, with outliers represented as red dots at the time of occurence.

Currently, I am receiving all these unnecessary ;ine with no red dots representing outliers:

Can you please help?

Many thanks!

POR160893 · ‎04-20-2023

@richgalloway @ITWhisperer, have either of you any help or advice on how I can alter this query to have a single timechart trend line of time with only outlier points mark red to be shown on the outputted chart?

Many thanks for your help!

ITWhisperer · ‎04-20-2023

Have you consider the Outlier Chart viz?

index=_internal sourcetype=splunkd component=metrics group=per_source_thruput series="*syslog-ng*" host=*hf*
| eval hfgroup=substr(host, 0, 5), eps=eps/2, NodeName=UPPER(mvindex(split(host, "."), 0))
| lookup Cybersecurity_Infrastructure NodeName OUTPUT NodeID
| bucket _time span=1h
| timechart span=1h sum(eps) as Eps
| eval HourOfDay=strftime(_time, "%H")
| eval BucketMinuteOfHour=strftime(_time, "%M")
| eval DayOfWeek=strftime(_time, "%A")
| streamstats avg(Eps) as avg stdev(Eps) as stdev by HourOfDay BucketMinuteOfHour DayOfWeek
| eval AbsDev = abs(Eps - avg)
| streamstats avg(AbsDev) as MAD stdev(AbsDev) as MADStdev by HourOfDay, BucketMinuteOfHour, DayOfWeek
| eval UpperBound = avg + (3 * MAD)
| eval LowerBound = avg - (3 * MAD)
| table _time Eps LowerBound UpperBound

You may be able to change the colour of the outliers with CSS (or give your stakeholder some rose-tinted glasses so everything appears to be red!) 😀

somesoni2 · ‎04-19-2023

Give this a try

index=_internal sourcetype=splunkd component=metrics group=per_source_thruput series="*syslog-ng*" host=*hf*
| eval hfgroup=substr(host, 0, 5), eps=eps/2, NodeName=UPPER(mvindex(split(host, "."), 0))
| lookup Cybersecurity_Infrastructure NodeName OUTPUT NodeID
| bucket _time span=1h
| timechart span=1h sum(eps) as Eps
| eval HourOfDay=strftime(_time, "%H")
| eval BucketMinuteOfHour=strftime(_time, "%M")
| eval DayOfWeek=strftime(_time, "%A")
| streamstats avg(Eps) as avg stdev(Eps) as stdev by HourOfDay BucketMinuteOfHour DayOfWeek
| eval AbsDev = abs(Eps - avg)
| streamstats avg(AbsDev) as MAD stdev(AbsDev) as MADStdev by HourOfDay, BucketMinuteOfHour, DayOfWeek
| eval UpperBound = avg + (3 * MAD)
| eval LowerBound = avg - (3 * MAD)
| eval Outlier_Eps=if(Eps > UpperBound OR Eps < LowerBound, Eps, null())
| table _time Outlier_Eps

POR160893 · ‎04-19-2023

Hi,

This did not work as I need a continuous line representing Time with ONLY outliers represented as points on this line and these Outlier points must be red. That is what the stakeholder has requested.

Your query gave a discontinuous line with blue dots for Outliers:

Can you please help?

How to highlight data points on timechart?

chart

dashboard

other

panel

timechart

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases