System event analyzer and outlier visualization

What is claimed is: 1. A method comprising: receiving a time-series sequence of event data for each event type in a plurality of event types; determining a set of correlations between pairs of the event types in the plurality of event types based on a comparison of the time-series sequence of each event type; clustering the event types based on the set of correlations; identifying subject event data for each event type in the plurality of event types for an evaluation time; generating a display including each event data type represented by a node, the event data types at a location in the display based on the clustering and each event data type coded according to the subject event data for the event data type; identifying a centrality score for each event type based on the correlation pairs; determining a notification score based on the subject event data for each event node, the centrality score of each event node, and, for pairs of event nodes associated with the node, the coded event data; and sending a notification when the notification score exceeds a threshold. 2. The method of claim 1 , further comprising: determining whether the correlation between each pair of connections between event types exceeds a threshold; and responsive to the correlation exceeding the threshold, adding a connection between the nodes of the pair of connections in the display. 3. The method of claim 1 , further comprising: displaying a timeline user interface element in the display; receiving a selection of a second evaluation time; and updating the display with subject event data for the second evaluation time. 4. The method of claim 1 , wherein the clustering is based on an absolute value of the correlations in the set of correlations. 5. A non-transitory computer-readable medium having instructions stored thereon, the instructions executable by a processor and when executed causing the processor to: receive a time-series sequence of event data for each event type in a plurality of event types; determine a set of correlations between pairs of the event types in the plurality of event types based on a comparison of the time-series sequence of each event type; cluster the event types based on the set of correlations; identify subject event data for each event type in the plurality of event types for an evaluation time; generate a display including each event data type represented by a node, the event data types at a location in the display based on the clustering and each event data type coded according to the subject event data for the event data type; identify a centrality score for each event type based on the correlation pairs; determine a notification score based on the subject event data for each event node, the centrality score of each event node, and, for airs of event nodes associated with the node, the coded event data; and send a notification when the notification score exceeds a threshold. 6. The computer-readable medium of claim 5 , the instructions further causing the processor to: determine whether the correlation between each pair of connections between event types exceeds a threshold; and responsive to the correlation exceeding the threshold, add a connection between the nodes of the pair of connections in the display. 7. The computer-readable medium of claim 5 , further comprising: display a timeline user interface element in the display; receive a selection of a second evaluation time; and update the display with subject event data for the second evaluation time. 8. The computer-readable medium of claim 5 , wherein the clustering is based on an absolute value of the correlations in the set of correlations. 9. A method comprising: receiving a time-series sequence of event data for each event type in a plurality of event types associated with one or more monitored systems; determining a set of correlation scores between pairs of the event types in the plurality of event types based on a comparison of the time-series sequence of each event type; identifying subject event data for each event type in the plurality of event types for an evaluation time; coding the subject event data for each event type according to one or more threshold values; determining a system health score for the plurality of event types, the system health score combining the coding for each event data type, the coding for each event type increased based on the correlation scores for the pairs of event types including that event type; determining whether the system health score exceeds a notification threshold; and responsive to determining the system health score exceeds the notification threshold, generating a notification for an operator of the one or more monitored systems. 10. The method of claim 9 , further comprising identifying annotation data associated with one or more of the event types in the plurality of event types, the annotation data indicating an action that may affect the event data of the one or more event types; and modifying the coding for the one or more event types for the system health score based on the annotation data. 11. The method of claim 10 , wherein the annotation data is selected from among a group consisting of: a code change, service pricing, planned downtime, weather, gatherings, and any combination thereof. 12. The method of claim 9 , wherein the notification is generated when the system health score also exceeds the notification threshold for a designated amount of time. 13. The method of claim 9 , wherein the system health score is increased for an event type when another event type, having a correlation with the event type higher than a correlation threshold, has an alert level. 14. The method of claim 9 , wherein system health score is compared with a plurality of notification thresholds, and a notification level is selected based on the comparison to the plurality of notification thresholds. 15. The method of claim 14 , further comprising selecting the operator to notify based on the selected notification level from the plurality of notification thresholds. 16. A non-transitory computer-readable medium having instructions stored thereon, the instructions executable by a processor and when executed causing the processor to: receive a time-series sequence of event data for each event type in a plurality of event types associated with one or more monitored systems; determine a set of correlation scores between pairs of the event types in the plurality of event types based on a comparison of the time-series sequence of each event type; identify subject event data for each event type in the plurality of event types for an evaluation time; coding the subject event data for each event type according to one or more threshold values; determine a system health score for the plurality of event types, the system health score combining the coding for each event data type, the coding for each event type increased based on the correlation scores for the pairs of event types including that event type; determine whether the system health score exceeds a notification threshold; and responsive to determining the system health score exceeds the notification threshold, generate a notification for an operator of the one or more monitored systems. 17. The computer-readable medium of claim 16 , the instructions further causing the processor to: identify annotation data associated with one or more of the event types in the plurality of event types, the annotation data indicating an action that may affect the event data of the one or