Dashboards & Visualizations
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to highlight data points on timechart?

POR160893
Builder
‎04-19-2023 06:06 AM

Hi,

I have the following query to detect outliers in eps:
index=_internal sourcetype=splunkd component=metrics group=per_source_thruput series="*syslog-ng*" host=*hf*
| eval hfgroup=substr(host, 0, 5), eps=eps/2, NodeName=UPPER(mvindex(split(host, "."), 0))
| lookup Cybersecurity_Infrastructure NodeName OUTPUT NodeID
| bucket _time span=1h
| timechart span=1h sum(eps) as Eps
| eval HourOfDay=strftime(_time, "%H")
| eval BucketMinuteOfHour=strftime(_time, "%M")
| eval DayOfWeek=strftime(_time, "%A")
| streamstats avg(Eps) as avg stdev(Eps) as stdev by HourOfDay BucketMinuteOfHour DayOfWeek
| eval AbsDev = abs(Eps - avg)
| streamstats avg(AbsDev) as MAD stdev(AbsDev) as MADStdev by HourOfDay, BucketMinuteOfHour, DayOfWeek
| eval UpperBound = avg + (3 * MAD)
| eval LowerBound = avg - (3 * MAD)
| eval isOutlier=if(Eps > UpperBound OR Eps < LowerBound, "true", "false")
| where isOutlier="true"


However, I need the output to be just 1 trend line, representing Time, with outliers represented as red dots at the time of occurence.

Currently, I am receiving all these unnecessary ;ine with no red dots representing outliers:


Can you please help?


Many thanks!

Labels (4)
Labels
Tags (1)
0 Karma
Reply

POR160893
Builder
‎04-20-2023 12:59 AM

@richgalloway @ITWhisperer, have either of you any help or advice on how I can alter this query to have a single timechart trend line of time with only outlier points mark red to be shown on the outputted chart?


Many thanks for your help!

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎04-20-2023 01:58 AM

Have you consider the Outlier Chart viz?

index=_internal sourcetype=splunkd component=metrics group=per_source_thruput series="*syslog-ng*" host=*hf*
| eval hfgroup=substr(host, 0, 5), eps=eps/2, NodeName=UPPER(mvindex(split(host, "."), 0))
| lookup Cybersecurity_Infrastructure NodeName OUTPUT NodeID
| bucket _time span=1h
| timechart span=1h sum(eps) as Eps
| eval HourOfDay=strftime(_time, "%H")
| eval BucketMinuteOfHour=strftime(_time, "%M")
| eval DayOfWeek=strftime(_time, "%A")
| streamstats avg(Eps) as avg stdev(Eps) as stdev by HourOfDay BucketMinuteOfHour DayOfWeek
| eval AbsDev = abs(Eps - avg)
| streamstats avg(AbsDev) as MAD stdev(AbsDev) as MADStdev by HourOfDay, BucketMinuteOfHour, DayOfWeek
| eval UpperBound = avg + (3 * MAD)
| eval LowerBound = avg - (3 * MAD)
| table _time Eps LowerBound UpperBound

You may be able to change the colour of the outliers with CSS (or give your stakeholder some rose-tinted glasses so everything appears to be red!) 😀

0 Karma
Reply

somesoni2
Revered Legend
‎04-19-2023 06:49 AM

Give this a try

index=_internal sourcetype=splunkd component=metrics group=per_source_thruput series="*syslog-ng*" host=*hf*
| eval hfgroup=substr(host, 0, 5), eps=eps/2, NodeName=UPPER(mvindex(split(host, "."), 0))
| lookup Cybersecurity_Infrastructure NodeName OUTPUT NodeID
| bucket _time span=1h
| timechart span=1h sum(eps) as Eps
| eval HourOfDay=strftime(_time, "%H")
| eval BucketMinuteOfHour=strftime(_time, "%M")
| eval DayOfWeek=strftime(_time, "%A")
| streamstats avg(Eps) as avg stdev(Eps) as stdev by HourOfDay BucketMinuteOfHour DayOfWeek
| eval AbsDev = abs(Eps - avg)
| streamstats avg(AbsDev) as MAD stdev(AbsDev) as MADStdev by HourOfDay, BucketMinuteOfHour, DayOfWeek
| eval UpperBound = avg + (3 * MAD)
| eval LowerBound = avg - (3 * MAD)
| eval Outlier_Eps=if(Eps > UpperBound OR Eps < LowerBound, Eps, null())
| table _time Outlier_Eps
Reply

POR160893
Builder
‎04-19-2023 07:12 AM

Hi,

This did not work as I need a continuous line representing Time with ONLY outliers represented as points on this line and these Outlier points must be red. That is what the stakeholder has requested.

Your query gave a discontinuous line with blue dots for Outliers:

POR160893_0-1681913542954.png



Can you please help?

0 Karma
Reply
Get Updates on the Splunk Community!

Data Management Digest – December 2025

Welcome to the December edition of Data Management Digest! As we continue our journey of data innovation, the ...

Index This | What is broken 80% of the time by February?

December 2025 Edition   Hayyy Splunk Education Enthusiasts and the Eternally Curious!    We’re back with this ...

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Hello Splunk Community,   We're thrilled to share an exciting update that will help you manage your data more ...