Splunk® App for Anomaly Detection

Use the Splunk App for Anomaly Detection

Acrobat logo Download manual as PDF


This documentation does not apply to the most recent version of Splunk® App for Anomaly Detection. For documentation on the most recent version, go to the latest release.
Acrobat logo Download topic as PDF

Share data in the Splunk App for Anomaly Detection

When the Splunk App for Anomaly Detection is deployed on Splunk Enterprise, the Splunk platform sends aggregated usage data to Splunk Inc. ("Splunk") to help improve the Splunk App for Anomaly Detection in future releases. For information about how to opt in or out and how the data is collected, stored, and governed, see Share data in Splunk Enterprise.

What data is collected

The Splunk App for Anomaly Detection collects the following basic usage information:

Component Description Example
app.session.schedule_clicked Information entered in the "Schedule" modal in the Job Dashboard. 
{ 
   component: app.session.schedule_clicked
   data: { 
     app: Splunk_App_for_Anomaly_Detection
     page: start
     rowData: { 
       alertExpiresTimeUnit: h
       alertExpiresValue: 24
       cronSchedule:
       description: got5 milk?
       emailTo: wdeaderick@splunk.com
       name: got5 milk?
       search: | inputlookup kpi.csv | dedup _time | sort _time | fit StateSpaceForecast input period=24 as preds | anomconfidences field_name=input pred_name=preds conf_name=anomConf | eval thresh = 0.878 | eval isOutlier = if(anomConf >= thresh, 1, 0) | anomintervals field_name=input conf_name=anomConf anom_name=isOutlier | table _time, input, isOutlier, anomConf
     }
     source: UI Telemetry
   }
   deploymentID: c551ac66-1d97-5dc7-98ac-634bcc99ebee
   eventID: b83a31f5-1028-6ca8-dac6-94c2985e0caa
   experienceID: 5efc3c69-0a78-611b-7c34-c641e2597d80
   optInRequired: 3
   splunkVersion: 9.0.3
   timestamp: 1678991871
   userID: 3dd53389b7530de43e28ba58dead9cda506df188cf348f24c5984be45bcbd3bc
   version: 4
   visibility: anonymous,support
}
app.session.manage_alert_clicked When a user clicks "Manage alert" in Anomaly app. 
{
    "optInRequired": 3,
    "version": "4",
    "experienceID": "dd4a1aa8-13ba-84dc-2386-0de9174cb1d9",
    "timestamp": 1678237020,
    "visibility": "anonymous,support",
    "userID": "3dd53389b7530de43e28ba58dead9cda506df188cf348f24c5984be45bcbd3bc",
    "deploymentID": "c551ac66-1d97-5dc7-98ac-634bcc99ebee",
    "component": "app.session.manage_alert_clicked",
    "splunkVersion": "9.0.3",
    "eventID": "84ddf59b-5c41-1bca-03c9-490c973dfafa",
    "data": {
        "app": "Splunk_App_for_Anomaly_Detection",
        "page": "start",
        "rowData": {
            "numOfAnomConditionValue": "1",
            "confConditionSymbol": ">=",
            "confConditionValue": "0.82",
            "alertExpiresTimeUnit": "h",
            "alertExpiresValue": "24",
            "cronSchedule": "15 * * * *",
            "description": "Tel test2 desc",
            "search": "| inputlookup kpi.csv \n| dedup _time\n| sort _time\n| fit StateSpaceForecast input period=24 as preds\n| anomconfidences field_name=input pred_name=preds conf_name=anomConf\n| eval thresh = 0.878\n| eval isOutlier = if(anomConf >= thresh, 1, 0)\n| anomintervals field_name=input conf_name=anomConf anom_name=isOutlier\n| table _time, input, isOutlier, anomConf",
            "emailMsg": "The alert condition was triggered.",
            "name": "Tel test2",
            "emailSubject": "Splunk Alert: Tel test2",
            "emailTo": "dchang@splunk.com",
            "numOfAnomConditionSymbol": ">="
        },
        "source": "UI Telemetry"
    }
}
app.session.app_go_to_tab The tab ("Job Dashboard" or "Create a New Job") to which the user changed. 
{ 
   component: app.session.new_job_go_to_tab
   data: { 
     activePanelId: Create Anomaly Job
     app: Splunk_App_for_Anomaly_Detection
     page: start
     source: UI Telemetry
   }
   deploymentID: c551ac66-1d97-5dc7-98ac-634bcc99ebee
   eventID: d6e4950f-2806-a4f2-82bb-6f4268372b7f
   experienceID: e3567a53-e173-e2df-2d85-e4911b77d2b2
   optInRequired: 3
   splunkVersion: 9.0.3
   timestamp: 1678908071
   userID: 3dd53389b7530de43e28ba58dead9cda506df188cf348f24c5984be45bcbd3bc
   version: 4
   visibility: anonymous,support
}
app.session.field_selected The name of the field in the user's data that was selected for anomaly detection. 
{ 
   component: app.session.field_selected
   data: { 
     app: Splunk_App_for_Anomaly_Detection
     field: ts15
     page: start
     source: UI Telemetry
   }
   deploymentID: c551ac66-1d97-5dc7-98ac-634bcc99ebee
   eventID: 198d7451-bbcc-815e-513a-5a9fd7a429d6
   experienceID: e3567a53-e173-e2df-2d85-e4911b77d2b2
   optInRequired: 3
   splunkVersion: 9.0.3
   timestamp: 1678914715
   userID: 3dd53389b7530de43e28ba58dead9cda506df188cf348f24c5984be45bcbd3bc
   version: 4
   visibility: anonymous,support
}
app.session.alert_trigger_saved The information that evaluates the detected anomalies against the alerting conditions to determine whether or not an email should be sent. 
{ 
   component: app.session.alert_trigger_saved
   data: { 
     app: Splunk_App_for_Anomaly_Detection
     data: { 
       action.email.mailserver: mail.splunk.com
       action.email.message.alert: The alert condition was triggered.
       action.email.subject: Splunk Alert: Tel test2
       action.email.to: dchang@splunk.com
       actions: email
       alert.expires: 24h
       alert_condition: | delta isOutlier as outlierDelta | eval isFirstOutlier=if(outlierDelta == 1, 1, 0) | where isFirstOutlier == 1 | eventstats count as outlierCount | sort 1 anomConf desc | stats min(anomConf) as minAnomConf by outlierCount | search outlierCount >= 1 AND minAnomConf >= 0.82
       alert_type: custom
       is_scheduled: true
       search: | inputlookup kpi.csv | dedup _time | sort _time | fit StateSpaceForecast input period=24 as preds | anomconfidences field_name=input pred_name=preds conf_name=anomConf | eval thresh = 0.878 | eval isOutlier = if(anomConf >= thresh, 1, 0) | anomintervals field_name=input conf_name=anomConf anom_name=isOutlier | table _time, input, isOutlier, anomConf
     }
     name: Tel test2
     page: start
     source: UI Telemetry
   }
   deploymentID: c551ac66-1d97-5dc7-98ac-634bcc99ebee
   eventID: 39b03015-8009-841e-03d4-e9231847ecb3
   experienceID: dd4a1aa8-13ba-84dc-2386-0de9174cb1d9
   optInRequired: 3
   splunkVersion: 9.0.3
   timestamp: 1678237006
   userID: 3dd53389b7530de43e28ba58dead9cda506df188cf348f24c5984be45bcbd3bc
   version: 4
   visibility: anonymous,support
}
app.session.new_job_go_to_tab The tab ("Job Dashboard" or "Create a New Job") to which the user changed. 
{ 
   component: app.session.new_job_go_to_tab
   data: { 
     activePanelId: Create Anomaly Job
     app: Splunk_App_for_Anomaly_Detection
     page: start
     source: UI Telemetry
   }
   deploymentID: c551ac66-1d97-5dc7-98ac-634bcc99ebee
   eventID: d6e4950f-2806-a4f2-82bb-6f4268372b7f
   experienceID: e3567a53-e173-e2df-2d85-e4911b77d2b2
   optInRequired: 3
   splunkVersion: 9.0.3
   timestamp: 1678908071
   userID: 3dd53389b7530de43e28ba58dead9cda506df188cf348f24c5984be45bcbd3bc
   version: 4
   visibility: anonymous,support
}
app.session.schedule_saved The scheduling details that the user entered for the Job execution. 
{ 
   component: app.session.schedule_saved
   data: { 
     app: Splunk_App_for_Anomaly_Detection
     data: { 
       cron_schedule: */5 * * * *
     }
     page: start
     source: UI Telemetry
   }
   deploymentID: c551ac66-1d97-5dc7-98ac-634bcc99ebee
   eventID: 9ab7237b-4f3b-7b3c-22c8-155256e2c18c
   experienceID: e3567a53-e173-e2df-2d85-e4911b77d2b2
   optInRequired: 3
   splunkVersion: 9.0.3
   timestamp: 1678919796
   userID: 3dd53389b7530de43e28ba58dead9cda506df188cf348f24c5984be45bcbd3bc
   version: 4
   visibility: anonymous,support
}
app.session.new_job_saved Saving of a new job in the app. 
{ 
   component: app.session.new_job_saved
   data: { 
     app: Splunk_App_for_Anomaly_Detection
     jobFormDetails: [ 
       { 
         label: Job Name
         value: got5 milk?
       }
       { 
         label: Job Description
         value: got5 milk?
       }
     ]
     page: start
     search: | inputlookup kpi.csv | dedup _time | sort _time | fit StateSpaceForecast input period=24 as preds | anomconfidences field_name=input pred_name=preds conf_name=anomConf | eval thresh = 0.878 | eval isOutlier = if(anomConf >= thresh, 1, 0) | anomintervals field_name=input conf_name=anomConf anom_name=isOutlier | table _time, input, isOutlier, anomConf
     source: UI Telemetry
   }
   deploymentID: c551ac66-1d97-5dc7-98ac-634bcc99ebee
   eventID: 34312936-ed61-0eb1-fe2a-e88d62e1897d
   experienceID: e3567a53-e173-e2df-2d85-e4911b77d2b2
   optInRequired: 3
   splunkVersion: 9.0.3
   timestamp: 1678908197
   userID: 3dd53389b7530de43e28ba58dead9cda506df188cf348f24c5984be45bcbd3bc
   version: 4
   visibility: anonymous,support
}
app.session.delete_job_clicked User deleted a job. 
{ 
   component: app.session.delete_job_clicked
   data: { 
     app: Splunk_App_for_Anomaly_Detection
     page: start
     rowData: { 
       alertExpiresTimeUnit: h
       alertExpiresValue: 24
       cronSchedule:
       description: got4 milk?
       emailTo:
       name: got4 milk?
       search: | inputlookup kpi.csv | dedup _time | sort _time | fit StateSpaceForecast input period=24 as preds | anomconfidences field_name=input pred_name=preds conf_name=anomConf | eval thresh = 0.878 | eval isOutlier = if(anomConf >= thresh, 1, 0) | anomintervals field_name=input conf_name=anomConf anom_name=isOutlier | table _time, input, isOutlier, anomConf
     }
     source: UI Telemetry
   }
   deploymentID: c551ac66-1d97-5dc7-98ac-634bcc99ebee
   eventID: 87e8cbd2-58c3-e775-b6cc-9df8d3b4cc90
   experienceID: e3567a53-e173-e2df-2d85-e4911b77d2b2
   optInRequired: 3
   splunkVersion: 9.0.3
   timestamp: 1678910922
   userID: 3dd53389b7530de43e28ba58dead9cda506df188cf348f24c5984be45bcbd3bc
   version: 4
   visibility: anonymous,support
}
app.session.detect_anomalies_clicked User clicked on the "Detect Anomalies" button to initiate anomaly detection. 
{ 
   component: app.session.detect_anomalies_clicked
   data: { 
     app: Splunk_App_for_Anomaly_Detection
     page: start
     search: | inputlookup kpi.csv | dedup _time | sort _time | table _time input | fit AutoAnomalyDetection input
     source: UI Telemetry
   }
   deploymentID: c551ac66-1d97-5dc7-98ac-634bcc99ebee
   eventID: c2d959ca-b930-6ccc-5ec9-cf747fbd06b6
   experienceID: e3567a53-e173-e2df-2d85-e4911b77d2b2
   optInRequired: 3
   splunkVersion: 9.0.3
   timestamp: 1678908083
   userID: 3dd53389b7530de43e28ba58dead9cda506df188cf348f24c5984be45bcbd3bc
   version: 4
   visibility: anonymous,support
}
app.session.sensitivity_saved The sensitivity value (low, medium, or high) selected by the user upon operationalization of the AD search. 
{ [
   component: app.session.sensitivity_saved
   data: { [
     app: Splunk_App_for_Anomaly_Detection
     page: start
     sensitivity: 2
     source: UI Telemetry
   }
   deploymentID: c551ac66-1d97-5dc7-98ac-634bcc99ebee
   eventID: 42ea2afb-57c6-326c-dfcf-2b0504856947
   experienceID: ffc7e5a5-44dc-92ec-ffbd-e34b1dae7a62
   optInRequired: 3
   splunkVersion: 9.0.3
   timestamp: 1677867058
   userID: 3dd53389b7530de43e28ba58dead9cda506df188cf348f24c5984be45bcbd3bc
   version: 4
   visibility: anonymous,support
}
app.session.create_job_open_in_search_clicked User clicked on the button to open the SPL query in search from within the "Create Job" dialog. 
{ 
   component: app.session.create_job_open_in_search_clicked
   data: { 
     app: Splunk_App_for_Anomaly_Detection
     page: start
     search: | inputlookup kpi.csv | dedup _time | sort _time | fit StateSpaceForecast input period=24 as preds | anomconfidences field_name=input pred_name=preds conf_name=anomConf | eval thresh = 0.6681 | eval isOutlier = if(anomConf >= thresh, 1, 0) | anomintervals field_name=input conf_name=anomConf anom_name=isOutlier | table _time, input, isOutlier, anomConf
     source: UI Telemetry
   }
   deploymentID: c551ac66-1d97-5dc7-98ac-634bcc99ebee
   eventID: 87877205-355b-f3f8-2c9e-30bda02fc50e
   experienceID: ffc7e5a5-44dc-92ec-ffbd-e34b1dae7a62
   optInRequired: 3
   splunkVersion: 9.0.3
   timestamp: 1677867086
   userID: 3dd53389b7530de43e28ba58dead9cda506df188cf348f24c5984be45bcbd3bc
   version: 4
   visibility: anonymous,support
}
app.session.view_spl_clicked User clicked on the button to open the SPL query in search from the main AD workflow UI. 
{ 
   component: app.session.view_spl_clicked
   data: { 
     app: Splunk_App_for_Anomaly_Detection
     page: start
     search: | inputlookup kpi.csv | dedup _time | sort _time | fit StateSpaceForecast input period=24 as preds | anomconfidences field_name=input pred_name=preds conf_name=anomConf | eval thresh = 0.6681 | eval isOutlier = if(anomConf >= thresh, 1, 0) | anomintervals field_name=input conf_name=anomConf anom_name=isOutlier | table _time, input, isOutlier, anomConf
     source: UI Telemetry
   }
   deploymentID: c551ac66-1d97-5dc7-98ac-634bcc99ebee
   eventID: 0e7f77ee-a5ad-a78b-0d7d-85079cd7265e
   experienceID: ffc7e5a5-44dc-92ec-ffbd-e34b1dae7a62
   optInRequired: 3
   splunkVersion: 9.0.3
   timestamp: 1677867088
   userID: 3dd53389b7530de43e28ba58dead9cda506df188cf348f24c5984be45bcbd3bc
   version: 4
   visibility: anonymous,support
}
app.session.delete_job_successful Deleting a job was successful. 
{ 
   component: app.session.delete_job_successful
   data: { 
     app: Splunk_App_for_Anomaly_Detection
     page: start
     rowData: { 
       alertExpiresTimeUnit: h
       alertExpiresValue: 24
       cronSchedule:
       description: got4 milk?
       emailTo:
       name: got4 milk?
       search: | inputlookup kpi.csv | dedup _time | sort _time | fit StateSpaceForecast input period=24 as preds | anomconfidences field_name=input pred_name=preds conf_name=anomConf | eval thresh = 0.878 | eval isOutlier = if(anomConf >= thresh, 1, 0) | anomintervals field_name=input conf_name=anomConf anom_name=isOutlier | table _time, input, isOutlier, anomConf
     }
     source: UI Telemetry
   }
   deploymentID: c551ac66-1d97-5dc7-98ac-634bcc99ebee
   eventID: c7c9a89f-40dd-cbfa-d47f-84909faf0cfd
   experienceID: e3567a53-e173-e2df-2d85-e4911b77d2b2
   optInRequired: 3
   splunkVersion: 9.0.3
   timestamp: 1678910922
   userID: 3dd53389b7530de43e28ba58dead9cda506df188cf348f24c5984be45bcbd3bc
   version: 4
   visibility: anonymous,support
}
app.session.delete_model_artifact_successful Deleting model artifacts associated with a job that was deleted was successful. 
{ 
   component: app.session.delete_model_artifact_successful
   data: { 
     app: Splunk_App_for_Anomaly_Detection
     cronSchedule:
     page: start
     rowData: { 
       alertExpiresTimeUnit: h
       alertExpiresValue: 24
     }
     source: UI Telemetry
   }
   deploymentID: 821a4186-5c1e-5c26-bc39-355b7a6d8559
   eventID: a8174b63-e49c-ffc8-a560-a87ce2bcdcf4
   experienceID: 079cf05d-ff0a-cf56-09ed-61499468e16b
   optInRequired: 3
   splunkVersion: 9.0.1
   timestamp: 1680287440
   userID: e0c7c133de97dccf5e30df7e77afb4c27de23536979fa897c36534b7c2b36fab
   version: 4
   visibility: anonymous,support
}
app.Splunk_App_for_Anomaly_Detection.anomalyapp The data health check result. For example, if data contains missing values, or timestamps are unevenly spaced. 
{ 
   app: Splunk_App_for_Anomaly_Detection
   component: app.Splunk_App_for_Anomaly_Detection.anomalyapp
   data: {
     count: 3
     message: Health check score: 2; No data quality issues detected.
   }
   deploymentID: a2cbe2e4-ae0e-5dd1-9e15-af9aeff49113
   eventID: 7755BDFD-3BD5-4FA7-9D07-8EE044B378C3
   executionID: DEB3F0F8-3319-4B64-807E-581EE9BD2DF4
   optInRequired: 3
   timestamp: 1678880187
   type: aggregate
   visibility: [
   ]
}
app.Splunk_App_for_Anomaly_Detection.anomalyapp The number of anomalies/ anomalous intervals detected in the data. 
{ 
   app: Splunk_App_for_Anomaly_Detection
   component: app.Splunk_App_for_Anomaly_Detection.anomalyapp
   data: {
     count: 5
     message: 1 anomalous interval(s) found.
   }
   deploymentID: db49a47c-7c97-544e-9236-f5e2f7547600
   eventID: C09FA2A1-A9F4-498F-9DD4-D6050FFACD00
   executionID: 46D024B4-E1EA-4394-BB47-966D92C731C0
   optInRequired: 3
   timestamp: 1678895466
   type: aggregate
   visibility: [
   ]
}
app.Splunk_App_for_Anomaly_Detection.anomalyapp The length of the seasonal/periodic component (if one is found) in the data. 
{ 
   app: Splunk_App_for_Anomaly_Detection
   component: app.Splunk_App_for_Anomaly_Detection.anomalyapp
   data: { 
     count: 1
     message: Detected seasonal period length: 1
   }
   deploymentID: a676d989-ba85-599f-91c2-9cb0c16722ed
   eventID: 9A7BBCAC-B0CE-48E5-A4FD-52FE37763AB2
   executionID: 15BA56B4-06DD-4420-A86A-D2BA2496EA1B
   optInRequired: 3
   timestamp: 1678876382
   type: aggregate
   visibility: [
   ]
}
app.Splunk_App_for_Anomaly_Detection.anomalyapp Whether the user is running the app with Splunk preinstalled dataset or with their own data. 
{ 
   app: Splunk_App_for_Anomaly_Detection
   component: app.Splunk_App_for_Anomaly_Detection.anomalyapp
   data: { 
     count: 1
     message: Using our included inputlookup data
   }
   deploymentID: a2cbe2e4-ae0e-5dd1-9e15-af9aeff49113
   eventID: DA0A3667-BF04-4427-8F77-339AB11079A2
   executionID: DEB3F0F8-3319-4B64-807E-581EE9BD2DF4
   optInRequired: 3
   timestamp: 1678880187
   type: aggregate
   visibility: [
     anonymous
   ]
}
app.Splunk_App_for_Anomaly_Detection.anomalyapp The top and bottom 5 anomaly confidence scores found in the data. 
{ 
   app: Splunk_App_for_Anomaly_Detection
   component: app.Splunk_App_for_Anomaly_Detection.anomalyapp
   data: { 
     count: 1
     message: Top 5 anomConfs: [0.9433 0.8127 0.7784 0.7269 0.7113]
   }
   deploymentID: a2cbe2e4-ae0e-5dd1-9e15-af9aeff49113
   eventID: F939CAC7-E468-4490-9915-BA448068533D
   executionID: DEB3F0F8-3319-4B64-807E-581EE9BD2DF4
   optInRequired: 3
   timestamp: 1678880187
   type: aggregate
   visibility: [ 
   ]
}
app.Splunk_App_for_Anomaly_Detection.anomalyapp How long our custom algorithm took to run. Encompasses all backend computation other than the SPL query execution time. 
{ 
   app: Splunk_App_for_Anomaly_Detection
   component: app.Splunk_App_for_Anomaly_Detection.anomalyapp
   data: { 
     count: 1
     message: Total execution time in seconds for `fit AutoAnomalyDetection` call: 0.5578451156616211
   }
   deploymentID: a2cbe2e4-ae0e-5dd1-9e15-af9aeff49113
   eventID: 813454ED-EDF5-488E-8BE2-00E3B64F5D01
   executionID: A2D51B94-F483-4367-AB4A-FA92B6DC5597
   optInRequired: 3
   timestamp: 1678972625
   type: aggregate
   visibility: [
   ]
}
app.Splunk_App_for_Anomaly_Detection.anomalyapp The data resolution. The spacing between timestamps, in number of seconds. 
{
   app: Splunk_App_for_Anomaly_Detection
   component: app.Splunk_App_for_Anomaly_Detection.anomalyapp
   data: { 
     count: 1
     message: Data resolution: 3600.0 seconds.
   }
   deploymentID: a2cbe2e4-ae0e-5dd1-9e15-af9aeff49113
   eventID: 813454ED-EDF5-488E-8BE2-00E3B64F5D01
   executionID: A2D51B94-F483-4367-AB4A-FA92B6DC5597
   optInRequired: 3
   timestamp: 1678972625
   type: aggregate
   visibility: [
   ]
}
app.Splunk_App_for_Anomaly_Detection.anomalyapp Range of the data values. Number of orders of magnitude between highest and lowest value. 
{
   app: Splunk_App_for_Anomaly_Detection
   component: app.Splunk_App_for_Anomaly_Detection.anomalyapp
   data: { 
     count: 1
     message: Data varies over 0.5844700114060526 orders of magnitude.
   }
   deploymentID: a2cbe2e4-ae0e-5dd1-9e15-af9aeff49113
   eventID: 813454ED-EDF5-488E-8BE2-00E3B64F5D01
   executionID: A2D51B94-F483-4367-AB4A-FA92B6DC5597
   optInRequired: 3
   timestamp: 1678972625
   type: aggregate
   visibility: [
   ]
}
Last modified on 27 June, 2023
PREVIOUS
Splunk App for Anomaly Detection workflow 		  NEXT
Support for the Splunk App for Anomaly Detection

This documentation applies to the following versions of Splunk® App for Anomaly Detection: 1.0.0

Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters