Detection Counts with Severity Average

Display detection counts as bars, with option to show the hourly moving average of detection severity.

Bar Chart type: Line Overlay chart.

Sample input data:

detection_idseverity_scoretimestamptype
det182025-08-11T00:01:23Zmalware
det252025-08-11T00:01:24Zsuspicious
det392025-08-11T00:01:25Zransomware
det462025-08-11T00:01:26Zsuspicious
det572025-08-11T00:01:27Zmalware

Query:

logscale
detection_id=* severity_score=*
| dateBucket:=formatTime("%Y-%m-%dT%H:%M", field=@timestamp)
| groupBy(dateBucket, function=[
    count(as="Hourly Detections"),
    avg(severity_score, as="Hourly Avg Severity"),
    min(severity_score, as="Min Severity"),
    max(severity_score, as="Max Severity")
  ], limit=max)
| sort(dateBucket, order=asc, limit=10000)
| slidingWindow(avg("Hourly Avg Severity"), events=60)

Query breakdown:

  1. Filter for detection events and ensure to only have events with severity scores

  2. Create hourly time buckets

  3. Group by hour with multiple aggregations

  4. Sort chronologically (required)

  5. Calculate hourly moving average

The chart is useful for showing both detection volume and severity trend.

Visualization: displays daily detection counts as bars. Option to show the hourly moving average of detection severity.

Screenshot showing a bar chart widget displaying daily detection counts with vertical teal bars and multiple colored indicator dots (blue, light blue, orange, red, green) representing hourly average severity, hourly detections, max severity, min severity, and average values, with Format Bar Chart panel visible on the right

Figure 215. Daily Detection Counts with Severity Average


Configuration:

  1. From the Search page, type your query in the Query Editor → click Run

  2. Choose Bar Chart in the Widget Selector

  3. Click the style icon : the side panel shows most settings already configured by default based on the query result. You may configure more settings manually, as follows.

  4. Enter a title, for example "events" in Value axis (left) and select the Show title checkbox

  5. Toggle Legend on

  6. Toggle Line overlay on to get a line showing the moving average trend by hour:

    Screenshot showing a bar chart widget with line overlay displaying severity count trends over time with vertical teal bars representing hourly detections and multiple colored lines tracking metrics (Hourly Avg Severity, Hourly Detections, Max Severity, Min Severity, _avg), with Format Bar Chart panel visible on the right

    Figure 216. Daily Detection Counts with Severity Score


  7. Under Line overlay, click the Right axis checkbox

  8. In Value axis (right):

    • Select the Show title checkbox to have it displayed on the right

    • Change Title to "average" to clearly indicate what the line overlay is showing.

You can further customize this widget by setting more properties, see Bar Chart Property Reference.