Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Does the anomalies command work at all?

kundeng
Path Finder
‎05-28-2014 08:16 AM

Here is a simple example:
Server restarts at midnight, the anomalies command didn't really catch the drastic drop in event volumes.

I can't embed the image so here is the link:

i.imgur.com/a0nnbHK.png

Tags (1)
Reply

prelert
Path Finder
‎10-02-2014 05:30 AM

The 'anomalies' command can be effective in identifying the unexpectness of an event, but from your use case it looks like you are trying to identify a significant deviation in event rate rather than an unusual event.

A technique for doing this is to create a statistical baseline of the typical event rate (allowing for periodicity in the data), and use this to compute the probability of the current event rate.

Pasting the same timechart command into 'QuickMode' in the Prelert app (https://apps.splunk.com/app/1306/) can achieve this and is straight forward to try out. Let me know if you need more detail?,The anomalies command can be effective in identifying the unexpectness of an event, but from your use case it looks like you are interested in looking for significant deviations in event rates. A more appropriate method may be to create a baseline of 'normal' event rates and compute the probability of the current event rate given this baseline.

An example of how to do this is to paste the timechart search into 'QuickMode' in the prelert app (https://apps.splunk.com/app/1306/). This creates a statistical model of the event rate (count) allowing for changes in periodicity resulting in the anomalies where the probability of the event rate is low.

0 Karma
Reply

kundeng
Path Finder
‎05-28-2014 04:57 PM

Please take a look the image attached.

It's private data but as you can see:

Splunk version is the most current 6.1.1

The search before piping into anomalies command
Calculates timechart of a counter A

Anomalies command uses as the option: field=A labelonly=true

0 Karma
Reply

MuS
SplunkTrust
SplunkTrust
‎05-28-2014 03:08 PM

without providing any information about:

 splunk version used 
 sample events
 search used

nobody will be able to help or assist you ....

0 Karma
Reply
Get Updates on the Splunk Community!

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

Join us on Wed, Dec 10. at 10AM PST / 1PM EST for a live webinar and demo with Splunk experts! Discover how ...

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

If you’re unfamiliar, .conf is Splunk’s premier event where the Splunk community, customers, partners, and ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

There’s something special about this time of year—maybe it’s the glow of the holidays, maybe it’s the ...