All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How Anomaly and Anomalydetection commands works in splunk

chandana204
Communicator
‎01-22-2018 01:25 PM

Hi,

I have started to learning machine learning concepts and trying to imply on Splunk tool. So, i tried to use anomaly and anomalydetection search commands but i couldn't understand how these commands are working. I have gone through documentation, there i can find how to use commands but i want to know how it's working in background. Can anyone please explain in detail.

Appreciate your time

Thanks,
Chandana

Reply
1 Solution
Solved! Jump to solution
Solution

aoliner_splunk
Splunk Employee
Splunk Employee
‎01-23-2018 09:06 AM

Hi Chandana,

Could you please say more about what's missing in the documentation? For example, the anomalydetection command docs say that it "identifies anomalous events by computing a probability for each event and then detecting unusually small probabilities. The probability is defined as the product of the frequencies of each individual field value in the event." It then goes on to explain how those field value probabilities are computed. So, if you have two fields, A="blue" and B=7, where A has the value "blue" 25% of the time and B has a histogram of values such that the bin containing 7 is 10% of the mass of the histogram, then the probability of the event would be p = 0.25 * 0.1 = 0.025.

Does that make sense? Is it not behaving as expected?

Cheers,
- Adam

View solution in original post

Reply
Solved! Jump to solution

jcvytla
New Member
‎03-28-2018 10:55 AM

Hi @chandana204

I'm also working on similar problem. could you please guide me through solution..

0 Karma
Reply
Solved! Jump to solution
Solution

aoliner_splunk
Splunk Employee
Splunk Employee
‎01-23-2018 09:06 AM

Hi Chandana,

Could you please say more about what's missing in the documentation? For example, the anomalydetection command docs say that it "identifies anomalous events by computing a probability for each event and then detecting unusually small probabilities. The probability is defined as the product of the frequencies of each individual field value in the event." It then goes on to explain how those field value probabilities are computed. So, if you have two fields, A="blue" and B=7, where A has the value "blue" 25% of the time and B has a histogram of values such that the bin containing 7 is 10% of the mass of the histogram, then the probability of the event would be p = 0.25 * 0.1 = 0.025.

Does that make sense? Is it not behaving as expected?

Cheers,
- Adam

Reply
Solved! Jump to solution

buraka
New Member
‎03-29-2018 02:20 AM

Hi Adam,
How are the histogram intervals decided, is it hard coded to 10%, can we change accordingly?
And is there a threshold value where we can control/change by probability value?

0 Karma
Reply
Solved! Jump to solution

aoliner_splunk
Splunk Employee
Splunk Employee
‎04-06-2018 03:52 PM

Hi buraka,

There are three modes. The histogram mode is controlled by the pthresh option. For the other two modes, the docs say, "When method=zscore, performs like the anomalousvalue command. When method=iqr, performs like the outlier command." Please see the corresponding docs for those commands.

0 Karma
Reply
Solved! Jump to solution

skoelpin
SplunkTrust
SplunkTrust
‎03-28-2018 11:22 AM

Good explanation..

Perhaps you could give us your use case @chandana204

0 Karma
Reply
Get Updates on the Splunk Community!

CX Day is Coming!

Customer Experience (CX) Day is on October 7th!! We're so excited to bring back another day full of wonderful ...

Strengthen Your Future: A Look Back at Splunk 10 Innovations and .conf25 Highlights!

The Big One: Splunk 10 is Here!  The moment many of you have been waiting for has arrived! We are thrilled to ...

Now Offering the AI Assistant Usage Dashboard in Cloud Monitoring Console

Today, we’re excited to announce the release of a brand new AI assistant usage dashboard in Cloud Monitoring ...