Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How does anomalousvalue work in my search?

sharsmail
Engager
‎12-21-2022 10:33 PM

I'm trying to implement a search query in splunk to get anomalous values around a particular field in the service events.

Essentially the query looks something like this - 

 

 

 

index="abc" source=*servicename*  response_time |    anomalousvalue action=summary pthresh=0.1|search isNum=YES fieldname=response_time

 

 

 

And this gives me a table containing fields like catAnoFreq% , numAnoFreq%, stdev, etc

I looked the documentation https://docs.splunk.com/Documentation/Splunk/9.0.3/SearchReference/Anomalousvalue

but didn't understand how exactly it works. 

so for my query if the response_time field has a standard range of values across events, and if my p_thresh=0.1, does that mean that values which occur with a probability of just 10% will fall into the anomalous category? and if i wanted to set an alert on one of the fields in the table to detect anomaly, which would be recommended? i want to set the alert of any event where the response_time num field is not considered within the normal range.

Tags (1)
0 Karma
Reply

sharsmail
Engager
‎01-10-2023 02:35 PM

Can anyone help with the follow up question

 

0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎12-21-2022 11:59 PM

If p_thresh=0.1, an anomalous event must have at least one field whose value falls below probability of 10% or, if numeric, whose standard deviation is greater than 0.9.

To set alert, it would be simpler to use default action of filter.  Something like

index="abc" source=*servicename*  response_time
| fields response_time
| anomalousvalue action=filter pthresh=0.1

 

Reply

sharsmail
Engager
‎01-08-2023 11:22 PM

@yuanliu Thanks.

but if i want to set the alert based on the std value, say if its greater than 30, then using action=summary would be more appropriate? 

And i'm assuming its using the gaussian (normal) distribution for the response_time field since useNum=YES?

so if pthresh=0.01 which is 1% , does that mean it will filter the response_time field value which occur below 1%?

I also see some instances of the search returning both useNum=YES and useCat=YES. not sure why that would happen if in that case its still uses the gaussian distribution.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

Beyond Detection: How Splunk and Cisco Integrated Security Platforms Transform ...

Financial services organizations face an impossible equation: maintain 99.9% uptime for mission-critical ...

Customer success is front and center at .conf25

Hi Splunkers, If you are not able to be at .conf25 in person, you can still learn about all the latest news ...

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...