using ML Toolkit to detect transaction outliers fo...

ebaileytu · ‎03-01-2017

I have a working example for the using the predict function in the ML Toolkit to detect out outliers for an overall transaction count or for a single customer but I cannot figure out to use the function for multiple customers. Is that possible or would i need to setup a model for every customer? I need a way to show and alert the NOC if our top 20 customers have transaction count issues and of course static thresholds work poorly. Thanks!

astein_splunk · ‎03-27-2017

Are you trying to predict or detect anomalies?

Couple of options :

As of MLTK 2.1, you could use the Detect Numeric Outliers with the "Fields to split by" for your customer fields, and use a sliding window too.

If you take a look at the Conf presentations from last year, https://conf.splunk.com/files/2016/slides/building-a-crystal-ball-forecasting-future-values-for-mult... is pretty awesome.

Are you looking to predict a number of transaction counts and then alert when the residual (actual - predicted/estimated) values differ? you can use the Predict Numeric Fields Assistant with some clever stats by client,dayofweek,hourofday, etc variables. You will have to understand how linear regression works.

woodcock · ‎03-02-2017

I would not trust a model built on one data source (customer) for use on another, at least not without a great deal of testing.

ebaileytu · ‎03-02-2017

can you point to any examples with using the ML app with multiple values in the same dashboard?

using ML Toolkit to detect transaction outliers for more than one customer?

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?