Alert Type Proportion in Detection Sources

Show the relative proportion of different alert types within each detection source.

Bar Chart type: multiple series - 100% stacked bars.

Sample input data. Here is example input data for this scenario:

{"timestamp": "2025-08-11T00:01:23Z", "detection_source": "EDR", "alert_type": "Process", "host": "host1"}
{"timestamp": "2025-08-11T00:01:24Z", "detection_source": "Firewall", "alert_type": "Network", "host": "host2"}
{"timestamp": "2025-08-11T00:01:25Z", "detection_source": "EDR", "alert_type": "File", "host": "host3"}
{"timestamp": "2025-08-11T00:01:26Z", "detection_source": "Firewall", "alert_type": "Network", "host": "host4"}
{"timestamp": "2025-08-11T00:01:27Z", "detection_source": "EDR", "alert_type": "Process", "host": "host5"}

Query. To create this bar chart, use the following query:

logscale

groupBy([detection_source, alert_type], function=count())
| calculate(
    field=percentage,
    expr="(_count / total) * 100",
    groupBy=[detection_source]
)

This query performs the following operations:

Groups events by two fields: detection_source and alert_type.
Counts events for each unique combination
Creates a new field called percentage
Through the percentage field, calculates what percentage each alert type represents within its detection source (divides the count of each group by the total count for that detection source and multiply by 100).

The chart is useful for showing what percentage of alerts from each detection source are of each alert type.

Data Analysis Overview

LogScale Web Interface

Manage Repositories and Views

Manage Account

Parse Data

Search Data

Write Queries

Query Language Syntax

Query Joins and Lookups

Query Functions

Data Visualization

Dashboards

Widgets

Automation

Template Language

Keyboard Shortcuts

Alert Type Proportion in Detection Sources

Other articles on this topic

Similar Content

Training

Enter search term