How to determine right value for Outlier Tolerance...

Splunk Search

I am developing a use case to detect outliers on logons for a specific app using Smart Outlier Detection Assistant in MLTK app.

There is the Outlier Tolerance Threshold parameter in the Learn stage which I am unsure how to use.

The doc states "Adjust as needed based on the number of expected outliers."

how can someone know how many outliers they are expected ? To me, it doesn't makes sense as to how or why someone would already know this. Its what the usecase to indicate the number of outliers or maybe I am misinterpreting something.

Can someone please explain or direct me to some good documentation which properly explains this ?

Get Updates on the Splunk Community!

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...