Can someone please explain to me what this blue line is showing? Is it showing me events that are being logged at a future timestamp or is showing me what the trend will look like in the future? I cannot seem to find any documentation as to what it is. Thanks!
Solved! Go to Solution.
That blue line is showing you the average baseline using the past 5 increments of x time frame that you're looking at.
For instance, if you're looking at a month's worth of data, it will calculate the baseline on the past 5 months of data.
For current day it would be the previous 5 "Mondays". For 24 hours it would be the past 5 days.
Since my question is somewhat related to baselines, I will ask it here: We have reports that show total log volume per data source for ESM. Can we add a baseline overlay to this report so that it's easy to see if firewall logs jumped up in count or were lower than the average for the week?
Yes, definitely. The role of the baseline is to indicate a change in pattern over a period of time. Event rate is a great use case but there are no shortage of scenarios that could be improved by adding baseline deviation.
For instance, you can leverage dynamic baselines with static correlation rules to provide more context/relevance.
I don't the ability to add baselines to reports. Does this feature only exist in certain reports? I see it and use it with event summary graphs on the main display pages, but not able to find same setting in reports.