Detection Counts with Severity Average

Display detection counts as bars, with option to show the hourly moving average of detection severity.

Bar Chart type: Line Overlay chart.

Sample input data:

detection_idseverity_scoretimestamptype
det182025-08-11T00:01:23Zmalware
det252025-08-11T00:01:24Zsuspicious
det392025-08-11T00:01:25Zransomware
det462025-08-11T00:01:26Zsuspicious
det572025-08-11T00:01:27Zmalware

Query:

logscale
detection_id=* severity_score=*
| dateBucket:=formatTime("%Y-%m-%dT%H:%M", field=@timestamp)
| groupBy(dateBucket, function=[
    count(as="Hourly Detections"),
    avg(severity_score, as="Hourly Avg Severity"),
    min(severity_score, as="Min Severity"),
    max(severity_score, as="Max Severity")
  ], limit=max)
| sort(dateBucket, order=asc, limit=10000)
| slidingWindow(avg("Hourly Avg Severity"), events=60)

Query breakdown:

  1. Filter for detection events and ensure to only have events with severity scores

  2. Create hourly time buckets

  3. Group by hour with multiple aggregations

  4. Sort chronologically (required)

  5. Calculate hourly moving average

The chart is useful for showing both detection volume and severity trend.

Visualization: displays daily detection counts as bars. Option to show the hourly moving average of detection severity.

Bar Chart showing use case of severity average

Figure 211. Daily Detection Counts with Severity Average


Configuration:

  1. From the Search page, type your query in the Query Editor → click Run

  2. Choose Bar Chart in the Widget selector

  3. Click the style icon : the side panel shows most settings already configured by default based on the query result. You may configure more settings manually, as follows.

  4. Enter a title, for example "events" in Value axis (left) and select the Show title checkbox

  5. Toggle Legend on

  6. Toggle Line overlay on to get a line showing the moving average trend by hour:

    Bar Chart showing use case of severity count

    Figure 212. Daily Detection Counts with Severity Score


  7. Under Line overlay, click the Right axis checkbox

  8. In Value axis (right):

    • Select the Show title checkbox to have it displayed on the right

    • Change Title to "average" to clearly indicate what the line overlay is showing.

You can further customize this widget by setting more properties, see Bar Chart Property Reference.