Anomaly chart

Applies to: ✅ Azure Data ExplorerAzure MonitorMicrosoft Sentinel

The anomaly chart visualization is similar to a timechart, but highlights anomalies using the series_decompose_anomalies function.

Note

This visualization can only be used in the context of the render operator.

Syntax

T | render anomalychart [with ( propertyName = propertyValue [, ...])]

Learn more about syntax conventions.

Parameters

Name Type Required Description
T string ✔️ Input table name.
propertyName, propertyValue string A comma-separated list of key-value property pairs. See supported properties.

Supported properties

All properties are optional.

PropertyName PropertyValue
accumulate Whether the value of each measure gets added to all its predecessors. (true or false)
legend Whether to display a legend or not (visible or hidden).
series Comma-delimited list of columns whose combined per-record values define the series that record belongs to.
ymin The minimum value to be displayed on Y-axis.
ymax The maximum value to be displayed on Y-axis.
title The title of the visualization (of type string).
xaxis How to scale the x-axis (linear or log).
xcolumn Which column in the result is used for the x-axis.
xtitle The title of the x-axis (of type string).
yaxis How to scale the y-axis (linear or log).
ycolumns Comma-delimited list of columns that consist of the values provided per value of the x column.
ysplit How to split multiple the visualization. For more information, see Multiple y-axes.
ytitle The title of the y-axis (of type string).
anomalycolumns Comma-delimited list of columns, which will be considered as anomaly series and displayed as points on the chart

ysplit property

This visualization supports splitting into multiple y-axis values. The supported values of this property are:

ysplit Description
none A single y-axis is displayed for all series data. (Default)
axes A single chart is displayed with multiple y-axes (one per series).
panels One chart is rendered for each ycolumn value (up to some limit).

Example

let min_t = datetime(2017-01-05);
let max_t = datetime(2017-02-03 22:00);
let dt = 2h;
demo_make_series2
| make-series num=avg(num) on TimeStamp from min_t to max_t step dt by sid 
| where sid == 'TS1'   //  select a single time series for a cleaner visualization
| extend (anomalies, score, baseline) = series_decompose_anomalies(num, 1.5, -1, 'linefit')
| render anomalychart with(anomalycolumns=anomalies, title='Web app. traffic of a month, anomalies') //use "| render anomalychart with anomalycolumns=anomalies" to render the anomalies as bold points on the series charts.

Screenshot of anomaly chart output.