All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How Anomaly and Anomalydetection commands works in splunk

chandana204
Communicator
‎01-22-2018 01:25 PM

Hi,

I have started to learning machine learning concepts and trying to imply on Splunk tool. So, i tried to use anomaly and anomalydetection search commands but i couldn't understand how these commands are working. I have gone through documentation, there i can find how to use commands but i want to know how it's working in background. Can anyone please explain in detail.

Appreciate your time

Thanks,
Chandana

Reply
1 Solution
Solved! Jump to solution
Solution

aoliner_splunk
Splunk Employee
Splunk Employee
‎01-23-2018 09:06 AM

Hi Chandana,

Could you please say more about what's missing in the documentation? For example, the anomalydetection command docs say that it "identifies anomalous events by computing a probability for each event and then detecting unusually small probabilities. The probability is defined as the product of the frequencies of each individual field value in the event." It then goes on to explain how those field value probabilities are computed. So, if you have two fields, A="blue" and B=7, where A has the value "blue" 25% of the time and B has a histogram of values such that the bin containing 7 is 10% of the mass of the histogram, then the probability of the event would be p = 0.25 * 0.1 = 0.025.

Does that make sense? Is it not behaving as expected?

Cheers,
- Adam

View solution in original post

Reply
Solved! Jump to solution

jcvytla
New Member
‎03-28-2018 10:55 AM

Hi @chandana204

I'm also working on similar problem. could you please guide me through solution..

0 Karma
Reply
Solved! Jump to solution
Solution

aoliner_splunk
Splunk Employee
Splunk Employee
‎01-23-2018 09:06 AM

Hi Chandana,

Could you please say more about what's missing in the documentation? For example, the anomalydetection command docs say that it "identifies anomalous events by computing a probability for each event and then detecting unusually small probabilities. The probability is defined as the product of the frequencies of each individual field value in the event." It then goes on to explain how those field value probabilities are computed. So, if you have two fields, A="blue" and B=7, where A has the value "blue" 25% of the time and B has a histogram of values such that the bin containing 7 is 10% of the mass of the histogram, then the probability of the event would be p = 0.25 * 0.1 = 0.025.

Does that make sense? Is it not behaving as expected?

Cheers,
- Adam

Reply
Solved! Jump to solution

buraka
New Member
‎03-29-2018 02:20 AM

Hi Adam,
How are the histogram intervals decided, is it hard coded to 10%, can we change accordingly?
And is there a threshold value where we can control/change by probability value?

0 Karma
Reply
Solved! Jump to solution

aoliner_splunk
Splunk Employee
Splunk Employee
‎04-06-2018 03:52 PM

Hi buraka,

There are three modes. The histogram mode is controlled by the pthresh option. For the other two modes, the docs say, "When method=zscore, performs like the anomalousvalue command. When method=iqr, performs like the outlier command." Please see the corresponding docs for those commands.

0 Karma
Reply
Solved! Jump to solution

skoelpin
SplunkTrust
SplunkTrust
‎03-28-2018 11:22 AM

Good explanation..

Perhaps you could give us your use case @chandana204

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...