×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
sharsmail
Engager
Member since: ‎12-21-2022
‎01-10-2023
Community Statistics
Posts 4
Solutions 0
Karma Given 1
Karma Received 0
Member Since ‎12-21-2022
Activity Feed
View All

Re: How does anomalousvalue work in my search?

by in Splunk Search
‎01-10-2023 02:35 PM
‎01-10-2023 02:35 PM
Can anyone help with the follow up question   ... View more

Re: Understanding anomalousvalue

by in Splunk Search
‎01-08-2023 11:22 PM
‎01-08-2023 11:22 PM
@yuanliu Thanks. but if i want to set the alert based on the std value, say if its greater than 30, then using action=summary would be more appropriate?  And i'm assuming its using the gaussian (normal) distribution for the response_time field since useNum=YES? so if pthresh=0.01 which is 1% , does that mean it will filter the response_time field value which occur below 1%? I also see some instances of the search returning both useNum=YES and useCat=YES. not sure why that would happen if in that case its still uses the gaussian distribution. ... View more

How does anomalousvalue work in my search?

by in Splunk Search
‎12-21-2022 10:33 PM
‎12-21-2022 10:33 PM
I'm trying to implement a search query in splunk to get anomalous values around a particular field in the service events. Essentially the query looks something like this -        index="abc" source=*servicename* response_time | anomalousvalue action=summary pthresh=0.1|search isNum=YES fieldname=response_time       And this gives me a table containing fields like catAnoFreq% , numAnoFreq%, stdev, etc I looked the documentation https://docs.splunk.com/Documentation/Splunk/9.0.3/SearchReference/Anomalousvalue but didn't understand how exactly it works.  so for my query if the response_time field has a standard range of values across events, and if my p_thresh=0.1, does that mean that values which occur with a probability of just 10% will fall into the anomalous category? and if i wanted to set an alert on one of the fields in the table to detect anomaly, which would be recommended? i want to set the alert of any event where the response_time num field is not considered within the normal range. ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎01-10-2023 03:52 PM
Karma given to
View All