×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
sharsmail
Engager
Member since: ‎12-21-2022
‎01-10-2023
Community Statistics
Posts 4
Solutions 0
Karma Given 1
Karma Received 0
Member Since ‎12-21-2022
Activity Feed
View All

Re: How does anomalousvalue work in my search?

by in Splunk Search
‎01-10-2023 02:35 PM
‎01-10-2023 02:35 PM
Can anyone help with the follow up question   ... View more

Re: Understanding anomalousvalue

by in Splunk Search
‎01-08-2023 11:22 PM
‎01-08-2023 11:22 PM
@yuanliu Thanks. but if i want to set the alert based on the std value, say if its greater than 30, then using action=summary would be more appropriate?  And i'm assuming its using the gaussian (normal) distribution for the response_time field since useNum=YES? so if pthresh=0.01 which is 1% , does that mean it will filter the response_time field value which occur below 1%? I also see some instances of the search returning both useNum=YES and useCat=YES. not sure why that would happen if in that case its still uses the gaussian distribution. ... View more

How does anomalousvalue work in my search?

by in Splunk Search
‎12-21-2022 10:33 PM
‎12-21-2022 10:33 PM
I'm trying to implement a search query in splunk to get anomalous values around a particular field in the service events. Essentially the query looks something like this -        index="abc" source=*servicename* response_time | anomalousvalue action=summary pthresh=0.1|search isNum=YES fieldname=response_time       And this gives me a table containing fields like catAnoFreq% , numAnoFreq%, stdev, etc I looked the documentation https://docs.splunk.com/Documentation/Splunk/9.0.3/SearchReference/Anomalousvalue but didn't understand how exactly it works.  so for my query if the response_time field has a standard range of values across events, and if my p_thresh=0.1, does that mean that values which occur with a probability of just 10% will fall into the anomalous category? and if i wanted to set an alert on one of the fields in the table to detect anomaly, which would be recommended? i want to set the alert of any event where the response_time num field is not considered within the normal range. ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎01-10-2023 03:52 PM
Karma given to
View All