Hi
I have a table with 2 columns: "_time" and "isOutlier".
I want to remove all the fields with the value = 1 from the column "isOutlier".
Is there any command?
Thank you
This is the answer! haha! 🙂
| inputlookup fortigate_QC_May2019_logins.csv
| fit StandardScaler "logins" with_mean=false with_std=true
| fit LocalOutlierFactor "SS_logins" n_neighbors=10 algorithm=auto metric=minkowski p=2 contamination=0.1 leaf_size=30
| where NOT isOutlier==1
| table _time, SS_logins
This is the answer! haha! 🙂
| inputlookup fortigate_QC_May2019_logins.csv
| fit StandardScaler "logins" with_mean=false with_std=true
| fit LocalOutlierFactor "SS_logins" n_neighbors=10 algorithm=auto metric=minkowski p=2 contamination=0.1 leaf_size=30
| where NOT isOutlier==1
| table _time, SS_logins
try this:
... your search ... | where isOutlier!=1
or this
... your search ... | search isOutlier!=1
hope it helps
But then how I remove the whole row?
This is my SPL:
| inputlookup fortigate_QC_May2019_logins.csv
| fit StandardScaler "logins" with_mean=false with_std=true
| fit LocalOutlierFactor "SS_logins" n_neighbors=10 algorithm=auto metric=minkowski p=2 contamination=0.1 leaf_size=30
| IT IS HERE WHERE I HAVE TO REMOVE THE WHOLE ROW WITH THE OUTLIER
| table _time, isOutlier
If you just want to filter out the events that are outliers, then you simply have to use isOutlier=0 or isOutlier!=1 in your base search. Unless I am not understanding your goal correctly.
Yes, but then I want to remove the whole row.
So If I have 744 rows with 10 outliers; I will end up with 764 rows.