Dashboards & Visualizations

Detect anomalies weighted by another field

sanchesku
Observer

Hello

in my case I have a list of products with producttype and weight. For products of the same type, weight might be different although always within some range. As an example:

productid type weight anomaly?
1 a 100kg  
2 a 102kg  
3 b 500kg  
4 b 550kg  
6 a 15kg yes
7 b 2500kg yes

 

One option would be solving this by calculating average and standard deviation:  

index=products
| stats list("productweight") as weights by "producttype"
| mvexpand weights
| eval weight=tonumber(weights)
| eventstats avg(weight) as avg stdev(weight) as stdev by "producttype"
| eval lowerBound=(avg-stdev*10), upperBound=(avg+stdev*10)
| where weight < lowerBound OR weight > upperBound

But I was wondering whether there is a way to solve this with the anomalydetection function. The function should search for anonalies within the products of the same producttype and not general for all weights on available. 

Something like | anomalydetection by "producttype" but this option doesnt seem to be available.

Does somebody know how to do this? Many thanks in advance for your help

Labels (2)
0 Karma
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...