Anomaly chart
Applies to: ✅ Azure Data Explorer ✅ Azure Monitor ✅ Microsoft Sentinel
The anomaly chart visualization is similar to a timechart, but highlights anomalies using the series_decompose_anomalies function.
Note
This visualization can only be used in the context of the render operator.
Syntax
T |
render
anomalychart
[with
(
propertyName =
propertyValue [,
...])
]
Learn more about syntax conventions.
Parameters
Name | Type | Required | Description |
---|---|---|---|
T | string |
✔️ | Input table name. |
propertyName, propertyValue | string |
A comma-separated list of key-value property pairs. See supported properties. |
Supported properties
All properties are optional.
PropertyName | PropertyValue |
---|---|
accumulate |
Whether the value of each measure gets added to all its predecessors. (true or false ) |
legend |
Whether to display a legend or not (visible or hidden ). |
series |
Comma-delimited list of columns whose combined per-record values define the series that record belongs to. |
ymin |
The minimum value to be displayed on Y-axis. |
ymax |
The maximum value to be displayed on Y-axis. |
title |
The title of the visualization (of type string ). |
xaxis |
How to scale the x-axis (linear or log ). |
xcolumn |
Which column in the result is used for the x-axis. |
xtitle |
The title of the x-axis (of type string ). |
yaxis |
How to scale the y-axis (linear or log ). |
ycolumns |
Comma-delimited list of columns that consist of the values provided per value of the x column. |
ysplit |
How to split multiple the visualization. For more information, see Multiple y-axes. |
ytitle |
The title of the y-axis (of type string ). |
anomalycolumns |
Comma-delimited list of columns, which will be considered as anomaly series and displayed as points on the chart |
ysplit
property
This visualization supports splitting into multiple y-axis values. The supported values of this property are:
ysplit |
Description |
---|---|
none |
A single y-axis is displayed for all series data. (Default) |
axes |
A single chart is displayed with multiple y-axes (one per series). |
panels |
One chart is rendered for each ycolumn value (up to some limit). |
Example
let min_t = datetime(2017-01-05);
let max_t = datetime(2017-02-03 22:00);
let dt = 2h;
demo_make_series2
| make-series num=avg(num) on TimeStamp from min_t to max_t step dt by sid
| where sid == 'TS1' // select a single time series for a cleaner visualization
| extend (anomalies, score, baseline) = series_decompose_anomalies(num, 1.5, -1, 'linefit')
| render anomalychart with(anomalycolumns=anomalies, title='Web app. traffic of a month, anomalies') //use "| render anomalychart with anomalycolumns=anomalies" to render the anomalies as bold points on the series charts.