Splunk Search

What are your best anomaly finding searches?

carasso
Splunk Employee
Splunk Employee

Besides the obvious things of looking for rare field values...

  • what are all the list of anomaly searches you use to find
    unexpected events?

  • How do you limit false positives, or uninteresting anomalies?

the more specific and the more searches you can list out, the better.

.

prelert
Path Finder

Feedback from our Splunk customers showed the top anomalies they were looking for were:

  • increase/decrease in numeric value in an event
  • increase/decrease in event rate
  • increase/decrease in event rate of a field value
  • rare field values
  • unusual field values compared to other field values

These can be satisfied by running:

   | prelertautodetect metric_value by metric_name
   | prelertautodetect count
   | prelertautodetect count by field_name
   | prelertautodetect rare by field_name
   | prelertautodetect metric_value over field_value
   | prelertautodetect count over field_value

Some specific customer examples are shown here http://support.prelert.com/customer/portal/articles/1355584-examples-overview

To limit false positives, we've found that it is key to apply accurate statistical models to these data. In particular, modelling the tails of probability distributions accurately is key to reducing false positives. In addition, automatically modelling the periodic and seasonal components means that you can model the residuals, which again improves accuracy.

Finally, we've found that normalising the results allows the signal to noise ratio to be controlled, providing an accurate ranking of results in highly anomalous environments.

Happy to provide more customer examples as required.

0 Karma

kristian_kolb
Ultra Champion

blah blah | eval p = punct | stats c(p) as cpu values(_raw) by punct | sort cpu

will show the full _raw for uncommon punct. A bit like rare for the whole event so-to-speak.

/k

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...