...
| Info |
|---|
Which data do I need to generate my report? As this is a time series report, you must have a time-based grouping with no keys to enable this option. However, you also need a numeric column in your query to generate your report. You must transform your data as required to include a numeric column that will be used to feed the report (for example, through an aggregation operation): from siem.logtrust.web.activity Whereas the following query does not meet the requirements for a time series report, as the grouping is non-time based: from siem.logtrust.web.activity group select count() as count |
If you do not have a numeric column, you will see a warning in the time series report window.
...
The report starts by analyzing the period length of the series and then performs time series decomposition. The goal is to help users define alert thresholds in order to enable anomaly detection, which can be done using the code chunks included in the report annex.
First, you must decide the time range you want to consider using the time range selector. Then, click the gear icon options menu in the search window toolbar and select Tools → Time series report.
...
After setting the required options, click Generate report. If you turn on the Load all events toggle, the option won't be available until all the events are loaded. Once the report is displayed, you can select Open in new tab to read it in a new browser tab.
...
If you do not have a numeric column, the time series report option will be greyed-out.
The report starts by analyzing the period length of the series and then performs time series decomposition. The goal is to help users define alert thresholds in order to enable anomaly detection, which can be done using the code chunks included in the report annex.