Advanced Functions

The following are a collection of more advanced functions that can provide additional capabilities in your queries in required.

• Advanced Functions
  • :des (Double Exponential Smoothing)
  • :trend (Trend)
  • :filter (Filter)
  • :stat-avg (Statistical Average)
  • :stat-max (Statistical Maximum)
  • :stat-min (Statistical Minimum)
  • :stat-last (Last Value)
  • :stat-total (Total Value)

:des (Double Exponential Smoothing)

Double exponential smoothing (DES) is a simple technique for generating a smooth trend line from another time series. This technique is often used to generate a dynamic threshold for alerting although can be noisy on dynamic data if not tuned properly.

The :des operator takes 4 parameters:

• query: An input time series
• training: The number of intervals to use for warming up before generating an output
• alpha: A data smoothing factor
• beta: A trend smoothing factor

{query},{training},{alpha},{beta},:des

Training

The training parameter defines how many intervals to allow the DES to warmup. On graphs, the beginning of the chart will be empty for a period based on this training parameter.

Typically a training window of 10 has been sufficient as DES will adjust to the input fairly quick. However, in some cases if there is a massive change in the input it can cause DES to oscillate.

Alpha

Alpha is the data smoothing factor. A value of 1 means no smoothing. The closer the value gets to 0 the smoother the line should get.

Beta

Beta is a trend smoothing factor. Visually it is most apparent when alpha is small.

Recommended Values

Outlyer provides 3 pre-set :des functions that have different alpha/beta values based on how quickly it should adjust to changing levels in the input signal.

:des-fast will show a faster rate of change for drops and rises in the input data compared to :des-slow. Choosing the right pre-set will depend on how you want to trend your input data.

:trend (Trend)

Computes a moving average over the input window. Until there is at least one sample for the whole window it will emit NaN. If the input line has NaN values, then they will be treated as zeros.

The window size is specified as a range of time. If the window size is not evenly divisible by the step size, then the window size will be rounded down. So a 5m window with a 2m step would result in a 4m window with two datapoints per average. A step size larger than the window will result in the trend being a bad operation.

name,sys.cpu_pct,:eq,20m,:trend

The time window can be specified as an integer with the following units:

• s, second, or seconds
• m, min, minute, or minutes
• h, hour, or hours
• d, day, or days
• w, week, or weeks
• month or months
• y, year, or years

:filter (Filter)

Filter the output based on another expression. For example, only show time series lines that have a value greater than 50.

The filter will work across the entire time range window, so if a time series crosses the filter threshold once in that window it will be returned, otherwise it will be filtered out.

The following query will return a time series line for every host with a maximum sys.cpu_pct greater than 80%:

name,sys.cpu_pct,:eq,:sum,(,instance.hostname,),:by,:stat-max,80,:gt,:filter

:stat-avg (Statistical Average)

Create a single summary line equivalent to the average value from the input query.

:stat-max (Statistical Maximum)

Create a single summary line equivalent to the maximum value from the input query.

:stat-min (Statistical Minimum)

Create a single summary line equivalent to the minimum value from the input query.

:stat-last (Last Value)

Create a single summary line equivalent to the last value from the input query.

:stat-total (Total Value)

Create a single summary line equivalent to the total sum value from the input query.