https://community.splunk.com/t5/Splunk-Search/Finding-Anomalies-or-Outliers/m-p/659753#M227774 <P>Trying to find anomalies for events. I have multiple services and multiple customers. I have an error "bucket" that is caputuring events for failures, exceeded, notified, etc.<BR />I'm looking for a way to identify when there are anomalies or outliers for each of the services/customers. I have combined (eval) service, customer, and the error and just counting the number of error events generated by each service/customer.<BR />So for example:<BR />svcA<BR />svcB<BR />svcC<BR />custA<BR />custB<BR />custC</P><P>would give<BR />svcA-custA-failures 10<BR />svcA-custA-exceeded 5<BR />svcA-custA-notified 25<BR />svcB-custA-failures 11<BR />svcB-custA-exceeded 9<BR />svcB-custA-notified 33<BR />svcB-custB-failures 3<BR />svcA-custB-exceeded 7<BR />svcA-custB-notified 22<BR />svcA-custC-exceeded 8<BR />svcA-custC-failures 3<BR />svcA-custC-notified 267<BR />svcC-custC-exceeded 1<BR />svcC-custC-failures 4<BR />svcC-custB-notified 145<BR />svcC-custA-notified 17</P><P>&nbsp;</P><P>Something along the lines of this:<BR /><BR />| eval Svc-Cust-Evnt=Svc."-".Cust."-".Evnt<BR />| stats sum(error) by Svc-Cust-Evnt<BR />| rename sum(error) as count<BR />| sort -count</P> Thu, 05 Oct 2023 07:29:19 GMT irkey 2023-10-05T07:29:19Z https://community.splunk.com/t5/Splunk-Search/Finding-Anomalies-or-Outliers/m-p/659753#M227774 <P>Trying to find anomalies for events. I have multiple services and multiple customers. I have an error "bucket" that is caputuring events for failures, exceeded, notified, etc.<BR />I'm looking for a way to identify when there are anomalies or outliers for each of the services/customers. I have combined (eval) service, customer, and the error and just counting the number of error events generated by each service/customer.<BR />So for example:<BR />svcA<BR />svcB<BR />svcC<BR />custA<BR />custB<BR />custC</P><P>would give<BR />svcA-custA-failures 10<BR />svcA-custA-exceeded 5<BR />svcA-custA-notified 25<BR />svcB-custA-failures 11<BR />svcB-custA-exceeded 9<BR />svcB-custA-notified 33<BR />svcB-custB-failures 3<BR />svcA-custB-exceeded 7<BR />svcA-custB-notified 22<BR />svcA-custC-exceeded 8<BR />svcA-custC-failures 3<BR />svcA-custC-notified 267<BR />svcC-custC-exceeded 1<BR />svcC-custC-failures 4<BR />svcC-custB-notified 145<BR />svcC-custA-notified 17</P><P>&nbsp;</P><P>Something along the lines of this:<BR /><BR />| eval Svc-Cust-Evnt=Svc."-".Cust."-".Evnt<BR />| stats sum(error) by Svc-Cust-Evnt<BR />| rename sum(error) as count<BR />| sort -count</P> Thu, 05 Oct 2023 07:29:19 GMT https://community.splunk.com/t5/Splunk-Search/Finding-Anomalies-or-Outliers/m-p/659753#M227774 irkey 2023-10-05T07:29:19Z https://community.splunk.com/t5/Splunk-Search/Finding-Anomalies-or-Outliers/m-p/659757#M227775 <P>It is not clear what your criteria are for determining what an anomaly is.</P><P>Also, from your example, you don't need to combine the fields, you could just to something like this</P><LI-CODE lang="markup">| stats sum(error) as count by Svc Cust Evnt | sort -count</LI-CODE> Thu, 05 Oct 2023 08:38:58 GMT https://community.splunk.com/t5/Splunk-Search/Finding-Anomalies-or-Outliers/m-p/659757#M227775 ITWhisperer 2023-10-05T08:38:58Z https://community.splunk.com/t5/Splunk-Search/Finding-Anomalies-or-Outliers/m-p/659813#M227792 <P>Each service/customer has different usage patterns...some are "normally" less busy than others. So I thought there is a way to identity when something does not follow the "normal" pattern witout putting in static thresholds?&nbsp;So for the service/customer that is normally slower the threshold will be less than a busier service/customer.&nbsp;If svcA-custA normally has 2000 events a day and svcA-custB has only 100 events a day the thresholds will be different.</P> Thu, 05 Oct 2023 15:43:02 GMT https://community.splunk.com/t5/Splunk-Search/Finding-Anomalies-or-Outliers/m-p/659813#M227792 irkey 2023-10-05T15:43:02Z https://community.splunk.com/t5/Splunk-Search/Finding-Anomalies-or-Outliers/m-p/659815#M227793 <P>Sounds like you need some sort of baseline for each service/customer - I would suggest you store this in a summary index. You can then retrieve the relevant stat from the summary index and compare it to you current actual to determine if it is anomalous.</P><P>You could also look at the MLTK, however, for this sort of analysis, you may end up with multiple models for each service/customer combination, which becomes quite unwieldy.</P> Thu, 05 Oct 2023 15:52:08 GMT https://community.splunk.com/t5/Splunk-Search/Finding-Anomalies-or-Outliers/m-p/659815#M227793 ITWhisperer 2023-10-05T15:52:08Z https://community.splunk.com/t5/Splunk-Search/Finding-Anomalies-or-Outliers/m-p/659816#M227794 <P>Interesting. Can you provide a run anywhere query example of how I would do the comparison?</P> Thu, 05 Oct 2023 15:57:00 GMT https://community.splunk.com/t5/Splunk-Search/Finding-Anomalies-or-Outliers/m-p/659816#M227794 irkey 2023-10-05T15:57:00Z