Hi,
I have the following query to detect outliers in eps: index=_internal sourcetype=splunkd component=metrics group=per_source_thruput series="*syslog-ng*" host=*hf* | eval hfgroup=substr(host, ...
See more...
Hi,
I have the following query to detect outliers in eps: index=_internal sourcetype=splunkd component=metrics group=per_source_thruput series="*syslog-ng*" host=*hf* | eval hfgroup=substr(host, 0, 5), eps=eps/2, NodeName=UPPER(mvindex(split(host, "."), 0)) | lookup Cybersecurity_Infrastructure NodeName OUTPUT NodeID | bucket _time span=1h | timechart span=1h sum(eps) as Eps | eval HourOfDay=strftime(_time, "%H") | eval BucketMinuteOfHour=strftime(_time, "%M") | eval DayOfWeek=strftime(_time, "%A") | streamstats avg(Eps) as avg stdev(Eps) as stdev by HourOfDay BucketMinuteOfHour DayOfWeek | eval AbsDev = abs(Eps - avg) | streamstats avg(AbsDev) as MAD stdev(AbsDev) as MADStdev by HourOfDay, BucketMinuteOfHour, DayOfWeek | eval UpperBound = avg + (3 * MAD) | eval LowerBound = avg - (3 * MAD) | eval isOutlier=if(Eps > UpperBound OR Eps < LowerBound, "true", "false") | where isOutlier="true" However, I need the output to be just 1 trend line, representing Time, with outliers represented as red dots at the time of occurence. Currently, I am receiving all these unnecessary ;ine with no red dots representing outliers: Can you please help? Many thanks!