https://community.splunk.com/t5/Splunk-Search/How-does-anomalousvalue-work-in-my-search/m-p/625039#M217278 <P>I'm trying to implement a search query in splunk to get anomalous values around a particular field in the service events.</P> <P>Essentially the query looks something like this -&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="markup">index="abc" source=*servicename* response_time | anomalousvalue action=summary pthresh=0.1|search isNum=YES fieldname=response_time</LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>And this gives me a table containing fields like&nbsp;catAnoFreq% ,&nbsp;<SPAN>numAnoFreq%,&nbsp;stdev, etc</SPAN></P> <P><SPAN>I looked the documentation&nbsp;<A href="https://docs.splunk.com/Documentation/Splunk/9.0.3/SearchReference/Anomalousvalue" target="_blank" rel="noopener">https://docs.splunk.com/Documentation/Splunk/9.0.3/SearchReference/Anomalousvalue</A></SPAN></P> <P><SPAN>but didn't understand how exactly it works.&nbsp;</SPAN></P> <P><SPAN>so for my query if the response_time field has a standard range of values across events, and if my p_thresh=0.1, does that mean that values which occur with a probability of just 10% will fall into the anomalous category? and if i wanted to set an alert on one of the fields in the table to detect anomaly, which would be recommended? i want to set the alert of any event where the response_time num field is not considered within the normal range.</SPAN></P> Mon, 09 Jan 2023 16:15:47 GMT sharsmail 2023-01-09T16:15:47Z https://community.splunk.com/t5/Splunk-Search/How-does-anomalousvalue-work-in-my-search/m-p/625039#M217278 <P>I'm trying to implement a search query in splunk to get anomalous values around a particular field in the service events.</P> <P>Essentially the query looks something like this -&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="markup">index="abc" source=*servicename* response_time | anomalousvalue action=summary pthresh=0.1|search isNum=YES fieldname=response_time</LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>And this gives me a table containing fields like&nbsp;catAnoFreq% ,&nbsp;<SPAN>numAnoFreq%,&nbsp;stdev, etc</SPAN></P> <P><SPAN>I looked the documentation&nbsp;<A href="https://docs.splunk.com/Documentation/Splunk/9.0.3/SearchReference/Anomalousvalue" target="_blank" rel="noopener">https://docs.splunk.com/Documentation/Splunk/9.0.3/SearchReference/Anomalousvalue</A></SPAN></P> <P><SPAN>but didn't understand how exactly it works.&nbsp;</SPAN></P> <P><SPAN>so for my query if the response_time field has a standard range of values across events, and if my p_thresh=0.1, does that mean that values which occur with a probability of just 10% will fall into the anomalous category? and if i wanted to set an alert on one of the fields in the table to detect anomaly, which would be recommended? i want to set the alert of any event where the response_time num field is not considered within the normal range.</SPAN></P> Mon, 09 Jan 2023 16:15:47 GMT https://community.splunk.com/t5/Splunk-Search/How-does-anomalousvalue-work-in-my-search/m-p/625039#M217278 sharsmail 2023-01-09T16:15:47Z https://community.splunk.com/t5/Splunk-Search/How-does-anomalousvalue-work-in-my-search/m-p/625052#M217284 <P>If p_thresh=0.1, an anomalous event must have at least one field whose value falls below probability of 10% or, if numeric, whose standard deviation is greater than 0.9.</P><P>To set alert, it would be simpler to use default action of filter. &nbsp;Something like</P><LI-CODE lang="markup">index="abc" source=*servicename* response_time | fields response_time | anomalousvalue action=filter pthresh=0.1</LI-CODE><P>&nbsp;</P> Thu, 22 Dec 2022 07:59:55 GMT https://community.splunk.com/t5/Splunk-Search/How-does-anomalousvalue-work-in-my-search/m-p/625052#M217284 yuanliu 2022-12-22T07:59:55Z https://community.splunk.com/t5/Splunk-Search/How-does-anomalousvalue-work-in-my-search/m-p/626367#M217705 <P><A href="https://community.splunk.com/t5/user/viewprofilepage/user-id/33901" target="_blank">@yuanliu</A>&nbsp;Thanks.</P><P>but if i want to set the alert based on the std value, say if its greater than 30, then using action=summary would be more appropriate?&nbsp;</P><P>And i'm assuming its using the gaussian (normal) distribution for the response_time field since useNum=YES?</P><P>so if pthresh=0.01 which is 1% , does that mean it will filter the response_time field value which occur below 1%?</P><P>I also see some instances of the search returning both useNum=YES and useCat=YES. not sure why that would happen if in that case its still uses the&nbsp;gaussian distribution.</P> Mon, 09 Jan 2023 07:22:07 GMT https://community.splunk.com/t5/Splunk-Search/How-does-anomalousvalue-work-in-my-search/m-p/626367#M217705 sharsmail 2023-01-09T07:22:07Z https://community.splunk.com/t5/Splunk-Search/How-does-anomalousvalue-work-in-my-search/m-p/626670#M217816 <P>Can anyone help with the follow up question</P><P>&nbsp;</P> Tue, 10 Jan 2023 22:35:09 GMT https://community.splunk.com/t5/Splunk-Search/How-does-anomalousvalue-work-in-my-search/m-p/626670#M217816 sharsmail 2023-01-10T22:35:09Z