Hello! I have numeric data which has values primarily in the range of 500-1,000, with acceptable values being in the range of 500-10,000. I also have a number of outliers below 500 (ranging from 3 to 499), and some outliers above 10,000 (the most noticeable being as high as 1,000,000). I would like to use the Machine Learning Toolkit to detect all the outliers (both those too high, and those too low), ideally to set up some sort of alert. My base search is pretty straightforward: index=xxx source="xxx" reactionTime!=-1 reactionTime=* user=* | dedup ID I tried using the built-in Detect Numeric Outliers assistant, but the higher outliers threw it off (even if I excluded the absolute highest), so it couldn't reliably mark values below 500 as outliers. More recently I've been working with the OneClassSVM algorithm; however, it seems that no matter what I do (I've tried playing around with all the parameters I can), it only marks the bottom nu percent of my data as outliers - completely ignoring the too-high values. Is there any way to detect both upper and lower outliers for my data, either with one of the abovementioned algorithms, or through some other method altogether? Thank you! ... View more

I'm trying to use the OneClassSVM algorithm (thank you, @cmerriman !) to detect outliers in the reactionTime field of my data. As best as I can tell from the information on scikit-learn.org, OneClassSVM is a novelty detection algorithm, meaning that when I use the "fit" command, it will determine a boundary that fits around most-if-not-all of the data I've given it, and deem those data points "normal." When I do so, however, 68% of my data ends up being marked "abnormal." Here's the SPL I'm using: index=xxx source="xxx" reactionTime user=lradics | where reactionTime < 10000 | where reactionTime > 300 | dedup ID | fit OneClassSVM reactionTime into rxn_time_model | table isNormal, reactionTime I don't have much experience with this sort of thing, so I'm suspecting it's probably a user error, but I can't find where I would've gone wrong. Is my understanding of the algorithm's behavior correct? Can anyone point me to what I should change? Thank you! ... View more

In using the Machine Learning Toolkit, I've noticed that some assistants (such as Predict Numeric Fields) have an option to save the chosen specifications as a model, and/or train said saved model on a schedule - which, to the best of my knowledge, would then allow the model to grow increasingly intelligent based on the data flowing through it. Is there an equivalent method for training the Detect Numeric Outliers assistant? So that when it finds outliers for a given time period, it's using data from past trainings in order to determine a suitable average and outlier threshold? I don't know if it's relevant, but here's the SPL I'm using: index=xxx source=xxx reactionTime user=* | sort 0 _time | eval rxnTime=reactionTime/1000 | dedup ID | where rxnTime < 100 | where reactionTime != -1 | eventstats avg("rxnTime") as avg stdev("rxnTime") as stdev | eval lowerBound=(avg-stdev*exact(1.2)), upperBound=(avg+stdev*exact(5)) | eval isOutlier=if('rxnTime' < lowerBound OR 'rxnTime' > upperBound, 1, 0) | search isOutlier=1 | table _time, "rxnTime", lowerBound, upperBound, isOutlier, avg, user Thank you! ... View more

I'm working with the Detect Numeric Outliers assistant from the Splunk Machine Learning Toolkit 2.3.0. When I use the Toolkit's built-in data in the Showcase, I get a lovely Outliers Chart-style visualization in the "Visualizations" tab. The SPL used is as follows: | inputlookup supermarket.csv | head 1000 | eventstats avg("quantity") as avg stdev("quantity") as stdev | eval lowerBound=(avg-stdev*exact(5)), upperBound=(avg+stdev*exact(5)) | eval isOutlier=if('quantity' < lowerBound OR 'quantity' > upperBound, 1, 0) | fields _time, "quantity", lowerBound, upperBound, isOutlier, * When I try to use my own data in the assistant, I get an empty Visualizations tab with the message "Your search isn't generating any statistic or visualization results." (I'm running the search in Smart Mode both times.) The SPL I'm using is: index=xxx source=xxx reactionTime | eventstats avg("reactionTime") as avg stdev("reactionTime") as stdev | eval lowerBound=(avg-stdev*exact(2)), upperBound=(avg+stdev*exact(2)) | eval isOutlier=if('reactionTime' < lowerBound OR 'reactionTime' > upperBound, 1, 0) | fields _time, "reactionTime", lowerBound, upperBound, isOutlier, * When I replace the fields above with table , I get a graph in the Visualizations tab, but the graph is blank with the error message "No data to Display." Adding to my confusion is the fact that the documentation for the table command says not to use it for charts, as it strips away the internal fields, but the Toolkit's User Guide says to use the syntax | table _time, outlier_variable, lowerBound, upperBound for the Outliers Chart. So now I'm stuck - I'd like to display an Outliers Chart with my own data, but I don't know how to do that. Has anyone run into this problem before, or can anyone point me to where I'm doing something wrong? Thank you! ... View more

I am trying to use the Forecast Time Series assistant of the Machine Learning Toolkit, and it's returning the error External search command 'predict' returned error code 1. (When I try copying the SPL or using the "Open in Search" option, I get the same error.) The search I'm entering is source="*" date_year="2017" , and then I'm asking it to predict the date_year field, so I know nothing will have a null or non-numeric value. (Of course, they'll all have the same value - 2017 - but I can't think of why that'd be the issue.) And when looking at the raw data, they all have valid timestamps in the _time field. I can't find any information about error code 1 either in the Splunk documentation or on this site - does anyone have experience with this issue? I'm at a loss for what I should do - any suggestions would be greatly appreciated. Thank you! ... View more