Time series report
- Juan Tomás Alonso Nieto (Deactivated)
After accessing a data table and querying the required data, users can generate a time series report based on a numeric field associated with an event date field. The report is intended to describe the evolution of a variable through time and extract key information about it so that users can make informed decisions about the data.
Which data do I need to generate my report?
As this is a time series report, you must have a time-based grouping with no keys to enable this option. However, you also need a numeric column in your query to generate your report. You must transform your data as required to include a numeric column that will be used to feed the report (for example, through an aggregation operation):
from siem.logtrust.web.activity
group every 5m
every 5m
select count() as count
Whereas the following query does not meet the requirements for a time series report, as the grouping is non-time based:
from siem.logtrust.web.activity
group
select count() as count
If you do not have a numeric column, you will see a warning in the time series report window.
Â
The report starts by analyzing the period length of the series and then performs time series decomposition. The goal is to help users define alert thresholds in order to enable anomaly detection, which can be done using the code chunks included in the report annex.
First, you must decide the time range you want to consider using the time range selector. Then, click the gear icon in the search window toolbar and select Tools → Time series report.
Â
These are the fields you must fill in to generate the report:
Eventdate column | Select the column that contains the event dates you want to use to associate with the chosen variable. The eventdate column present in every data table is added by default, but you can select any other column containing event dates. |
|---|---|
Additional column | Select the column whose values you want to analyze. The column selected must contain numeric values (integer or float data type). In order to generate a complete report, including the annex with the code chunks to define alerts, note that the values in this field must be periodic. |
Load all events | Turn on this toggle to load all the events in the selected time range. Loading all your query events is recommended to avoid unexpected results in the report. Note that this option is the same that appears in the event loading indicator of the search window toolbar, so enabling it in one place will also enable it in the other. Learn more here. |
After setting the required options, click Generate report. If you turn on the Load all events toggle, the option won't be available until all the events are loaded. Once the report is displayed, you can select Open in new tab to read it in a new browser tab.
Â