Re: Anomalous event detection by date/time

BradOH · ‎11-06-2025

Hey, something we haven't dug into seriously yet are the anomaly detection functions of Splunk. Specifically, we're looking to develop a search that flags out of bounds events for further analysis.

Example, user generally accesses 9 to 5 everyday, then randomly accesses at 11pm one evening, report this. Is there a way to do this with the built in functions and not require an external tool or AI/ML model?

If you could even point me to some resources with examples, that'd be great. Thanks!

shashankD

You can read/create dashboard using _audit logs, where all this info can be seen, else you can use the below query index=your_index sourcetype=your_sourcetype | eval hour=strftime(_time,"%H") | stats count by user hour | eventstats avg(count) as avg stdev(count) as std by user | eval zscore=(count-avg)/std | where abs(zscore)>2 OR hour<9 OR hour>17

BradOH

Thanks, I had reviewed the examples in the Splunk documentation, but your example gave me a better idea how use the anomalydetection function in context.

PrewinThomas · ‎11-06-2025

@BradOH

You can use functions like anomalydetection, outlier or build a baseline of normal hours and compare against current events.

Below example shows anomaly values based on hour

index=your_index sourcetype=your_sourcetype user=*
| eval hour=strftime(_time,"%H")
| stats count by user, hour
| anomalydetection method=histogram action=filter

Refer below for the usage of anomalydetection
#https://help.splunk.com/en/splunk-enterprise/spl-search-reference/10.0/search-commands/anomalydetect...

Regards,
Prewin
🌟If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks!

Anomalous event detection by date/time

Alerting

Reporting

Your Guide to Splunk Digital Experience Monitoring

Data Management Digest – November 2025

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

Join the Conversation