Understaind outlier command + drawing the line whe...

HattrickNZ · ‎02-07-2019

This is my search to recreate the data I am working on:

| makeresults 
  | eval data = "
2019-01-01  98.0;
2019-01-02  98.2;
2019-01-03  98.5;
2019-01-04  98.4;
2019-01-05  98.4;
2019-01-06  98.4;
2019-01-07  98.5;
2019-01-08  98.4;
2019-01-09  98.4;
2019-01-10  98.7;
2019-01-11  98.4;
2019-01-12  98.1;
2019-01-13  98.2;
2019-01-14  98.3;
2019-01-15  98.3;
2019-01-16  98.4;
2019-01-17  98.4;
2019-01-18  98.0;
2019-01-19  97.7;
2019-01-20  98.3;
2019-01-21  98.3;
2019-01-22  98.3;
2019-01-23  98.4;
2019-01-24  98.3;
2019-01-25  98.4;
2019-01-26  98.1;
2019-01-27  98.0;
2019-01-28  98.4;
2019-01-29  98.4;
2019-01-30  98.7;
2019-01-31  98.4;
   " 
  | makemv delim=";" data 
  | mvexpand data
  | rex field=data "(?<Date>\d+-\d+-\d+)\s+(?<kpi1>\d+(\.\d+)?)" 
  | fields + Date kpi1 | fields - _time
  | search kpi1=* 
  | rename Date as _time

If I add | outlier action=remove uselower=true the value on 19th Jan will be removed.

What I am trying to understand is why it is removed. I deally I would like to see the maths behind it, and hopefully that will explain it to me. I have raised a similar/related question here. What I would like to do is be able to draw the line on where the cutoff point is the graph.

Understaind outlier command + drawing the line where it does the removal of points

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?