This documentation does not apply to the most recent version of Splunk® App for Anomaly Detection.
For documentation on the most recent version, go to the latest release.
When the Splunk App for Anomaly Detection is deployed on Splunk Enterprise, the Splunk platform sends aggregated usage data to Splunk Inc. ("Splunk") to help improve the Splunk App for Anomaly Detection in future releases. For information about how to opt in or out and how the data is collected, stored, and governed, see Share data in Splunk Enterprise.
What data is collected
The Splunk App for Anomaly Detection collects the following basic usage information:
| Component | Description | Example |
|---|---|---|
app.session.schedule_clicked
|
Information entered in the "Schedule" modal in the Job Dashboard. | {
component: app.session.schedule_clicked
data: {
app: Splunk_App_for_Anomaly_Detection
page: start
rowData: {
alertExpiresTimeUnit: h
alertExpiresValue: 24
cronSchedule:
description: got5 milk?
emailTo: wdeaderick@splunk.com
name: got5 milk?
search: | inputlookup kpi.csv | dedup _time | sort _time | fit StateSpaceForecast input period=24 as preds | anomconfidences field_name=input pred_name=preds conf_name=anomConf | eval thresh = 0.878 | eval isOutlier = if(anomConf >= thresh, 1, 0) | anomintervals field_name=input conf_name=anomConf anom_name=isOutlier | table _time, input, isOutlier, anomConf
}
source: UI Telemetry
}
deploymentID: c551ac66-1d97-5dc7-98ac-634bcc99ebee
eventID: b83a31f5-1028-6ca8-dac6-94c2985e0caa
experienceID: 5efc3c69-0a78-611b-7c34-c641e2597d80
optInRequired: 3
splunkVersion: 9.0.3
timestamp: 1678991871
userID: 3dd53389b7530de43e28ba58dead9cda506df188cf348f24c5984be45bcbd3bc
version: 4
visibility: anonymous,support
}
|
app.session.manage_alert_clicked
|
When a user clicks "Manage alert" in Anomaly app. | {
"optInRequired": 3,
"version": "4",
"experienceID": "dd4a1aa8-13ba-84dc-2386-0de9174cb1d9",
"timestamp": 1678237020,
"visibility": "anonymous,support",
"userID": "3dd53389b7530de43e28ba58dead9cda506df188cf348f24c5984be45bcbd3bc",
"deploymentID": "c551ac66-1d97-5dc7-98ac-634bcc99ebee",
"component": "app.session.manage_alert_clicked",
"splunkVersion": "9.0.3",
"eventID": "84ddf59b-5c41-1bca-03c9-490c973dfafa",
"data": {
"app": "Splunk_App_for_Anomaly_Detection",
"page": "start",
"rowData": {
"numOfAnomConditionValue": "1",
"confConditionSymbol": ">=",
"confConditionValue": "0.82",
"alertExpiresTimeUnit": "h",
"alertExpiresValue": "24",
"cronSchedule": "15 * * * *",
"description": "Tel test2 desc",
"search": "| inputlookup kpi.csv \n| dedup _time\n| sort _time\n| fit StateSpaceForecast input period=24 as preds\n| anomconfidences field_name=input pred_name=preds conf_name=anomConf\n| eval thresh = 0.878\n| eval isOutlier = if(anomConf >= thresh, 1, 0)\n| anomintervals field_name=input conf_name=anomConf anom_name=isOutlier\n| table _time, input, isOutlier, anomConf",
"emailMsg": "The alert condition was triggered.",
"name": "Tel test2",
"emailSubject": "Splunk Alert: Tel test2",
"emailTo": "dchang@splunk.com",
"numOfAnomConditionSymbol": ">="
},
"source": "UI Telemetry"
}
}
|
app.session.app_go_to_tab
|
The tab ("Job Dashboard" or "Create a New Job") to which the user changed. | {
component: app.session.new_job_go_to_tab
data: {
activePanelId: Create Anomaly Job
app: Splunk_App_for_Anomaly_Detection
page: start
source: UI Telemetry
}
deploymentID: c551ac66-1d97-5dc7-98ac-634bcc99ebee
eventID: d6e4950f-2806-a4f2-82bb-6f4268372b7f
experienceID: e3567a53-e173-e2df-2d85-e4911b77d2b2
optInRequired: 3
splunkVersion: 9.0.3
timestamp: 1678908071
userID: 3dd53389b7530de43e28ba58dead9cda506df188cf348f24c5984be45bcbd3bc
version: 4
visibility: anonymous,support
}
|
app.session.field_selected
|
The name of the field in the user's data that was selected for anomaly detection. | {
component: app.session.field_selected
data: {
app: Splunk_App_for_Anomaly_Detection
field: ts15
page: start
source: UI Telemetry
}
deploymentID: c551ac66-1d97-5dc7-98ac-634bcc99ebee
eventID: 198d7451-bbcc-815e-513a-5a9fd7a429d6
experienceID: e3567a53-e173-e2df-2d85-e4911b77d2b2
optInRequired: 3
splunkVersion: 9.0.3
timestamp: 1678914715
userID: 3dd53389b7530de43e28ba58dead9cda506df188cf348f24c5984be45bcbd3bc
version: 4
visibility: anonymous,support
}
|
app.session.alert_trigger_saved
|
The information that evaluates the detected anomalies against the alerting conditions to determine whether or not an email should be sent. | {
component: app.session.alert_trigger_saved
data: {
app: Splunk_App_for_Anomaly_Detection
data: {
action.email.mailserver: mail.splunk.com
action.email.message.alert: The alert condition was triggered.
action.email.subject: Splunk Alert: Tel test2
action.email.to: dchang@splunk.com
actions: email
alert.expires: 24h
alert_condition: | delta isOutlier as outlierDelta | eval isFirstOutlier=if(outlierDelta == 1, 1, 0) | where isFirstOutlier == 1 | eventstats count as outlierCount | sort 1 anomConf desc | stats min(anomConf) as minAnomConf by outlierCount | search outlierCount >= 1 AND minAnomConf >= 0.82
alert_type: custom
is_scheduled: true
search: | inputlookup kpi.csv | dedup _time | sort _time | fit StateSpaceForecast input period=24 as preds | anomconfidences field_name=input pred_name=preds conf_name=anomConf | eval thresh = 0.878 | eval isOutlier = if(anomConf >= thresh, 1, 0) | anomintervals field_name=input conf_name=anomConf anom_name=isOutlier | table _time, input, isOutlier, anomConf
}
name: Tel test2
page: start
source: UI Telemetry
}
deploymentID: c551ac66-1d97-5dc7-98ac-634bcc99ebee
eventID: 39b03015-8009-841e-03d4-e9231847ecb3
experienceID: dd4a1aa8-13ba-84dc-2386-0de9174cb1d9
optInRequired: 3
splunkVersion: 9.0.3
timestamp: 1678237006
userID: 3dd53389b7530de43e28ba58dead9cda506df188cf348f24c5984be45bcbd3bc
version: 4
visibility: anonymous,support
}
|
app.session.new_job_go_to_tab
|
The tab ("Job Dashboard" or "Create a New Job") to which the user changed. | {
component: app.session.new_job_go_to_tab
data: {
activePanelId: Create Anomaly Job
app: Splunk_App_for_Anomaly_Detection
page: start
source: UI Telemetry
}
deploymentID: c551ac66-1d97-5dc7-98ac-634bcc99ebee
eventID: d6e4950f-2806-a4f2-82bb-6f4268372b7f
experienceID: e3567a53-e173-e2df-2d85-e4911b77d2b2
optInRequired: 3
splunkVersion: 9.0.3
timestamp: 1678908071
userID: 3dd53389b7530de43e28ba58dead9cda506df188cf348f24c5984be45bcbd3bc
version: 4
visibility: anonymous,support
}
|
app.session.schedule_saved
|
The scheduling details that the user entered for the Job execution. | {
component: app.session.schedule_saved
data: {
app: Splunk_App_for_Anomaly_Detection
data: {
cron_schedule: */5 * * * *
}
page: start
source: UI Telemetry
}
deploymentID: c551ac66-1d97-5dc7-98ac-634bcc99ebee
eventID: 9ab7237b-4f3b-7b3c-22c8-155256e2c18c
experienceID: e3567a53-e173-e2df-2d85-e4911b77d2b2
optInRequired: 3
splunkVersion: 9.0.3
timestamp: 1678919796
userID: 3dd53389b7530de43e28ba58dead9cda506df188cf348f24c5984be45bcbd3bc
version: 4
visibility: anonymous,support
}
|
app.session.new_job_saved
|
Saving of a new job in the app. | {
component: app.session.new_job_saved
data: {
app: Splunk_App_for_Anomaly_Detection
jobFormDetails: [
{
label: Job Name
value: got5 milk?
}
{
label: Job Description
value: got5 milk?
}
]
page: start
search: | inputlookup kpi.csv | dedup _time | sort _time | fit StateSpaceForecast input period=24 as preds | anomconfidences field_name=input pred_name=preds conf_name=anomConf | eval thresh = 0.878 | eval isOutlier = if(anomConf >= thresh, 1, 0) | anomintervals field_name=input conf_name=anomConf anom_name=isOutlier | table _time, input, isOutlier, anomConf
source: UI Telemetry
}
deploymentID: c551ac66-1d97-5dc7-98ac-634bcc99ebee
eventID: 34312936-ed61-0eb1-fe2a-e88d62e1897d
experienceID: e3567a53-e173-e2df-2d85-e4911b77d2b2
optInRequired: 3
splunkVersion: 9.0.3
timestamp: 1678908197
userID: 3dd53389b7530de43e28ba58dead9cda506df188cf348f24c5984be45bcbd3bc
version: 4
visibility: anonymous,support
}
|
app.session.delete_job_clicked
|
User deleted a job. | {
component: app.session.delete_job_clicked
data: {
app: Splunk_App_for_Anomaly_Detection
page: start
rowData: {
alertExpiresTimeUnit: h
alertExpiresValue: 24
cronSchedule:
description: got4 milk?
emailTo:
name: got4 milk?
search: | inputlookup kpi.csv | dedup _time | sort _time | fit StateSpaceForecast input period=24 as preds | anomconfidences field_name=input pred_name=preds conf_name=anomConf | eval thresh = 0.878 | eval isOutlier = if(anomConf >= thresh, 1, 0) | anomintervals field_name=input conf_name=anomConf anom_name=isOutlier | table _time, input, isOutlier, anomConf
}
source: UI Telemetry
}
deploymentID: c551ac66-1d97-5dc7-98ac-634bcc99ebee
eventID: 87e8cbd2-58c3-e775-b6cc-9df8d3b4cc90
experienceID: e3567a53-e173-e2df-2d85-e4911b77d2b2
optInRequired: 3
splunkVersion: 9.0.3
timestamp: 1678910922
userID: 3dd53389b7530de43e28ba58dead9cda506df188cf348f24c5984be45bcbd3bc
version: 4
visibility: anonymous,support
}
|
app.session.detect_anomalies_clicked
|
User clicked on the "Detect Anomalies" button to initiate anomaly detection. | {
component: app.session.detect_anomalies_clicked
data: {
app: Splunk_App_for_Anomaly_Detection
page: start
search: | inputlookup kpi.csv | dedup _time | sort _time | table _time input | fit AutoAnomalyDetection input
source: UI Telemetry
}
deploymentID: c551ac66-1d97-5dc7-98ac-634bcc99ebee
eventID: c2d959ca-b930-6ccc-5ec9-cf747fbd06b6
experienceID: e3567a53-e173-e2df-2d85-e4911b77d2b2
optInRequired: 3
splunkVersion: 9.0.3
timestamp: 1678908083
userID: 3dd53389b7530de43e28ba58dead9cda506df188cf348f24c5984be45bcbd3bc
version: 4
visibility: anonymous,support
}
|
app.session.sensitivity_saved
|
The sensitivity value (low, medium, or high) selected by the user upon operationalization of the AD search. | { [
component: app.session.sensitivity_saved
data: { [
app: Splunk_App_for_Anomaly_Detection
page: start
sensitivity: 2
source: UI Telemetry
}
deploymentID: c551ac66-1d97-5dc7-98ac-634bcc99ebee
eventID: 42ea2afb-57c6-326c-dfcf-2b0504856947
experienceID: ffc7e5a5-44dc-92ec-ffbd-e34b1dae7a62
optInRequired: 3
splunkVersion: 9.0.3
timestamp: 1677867058
userID: 3dd53389b7530de43e28ba58dead9cda506df188cf348f24c5984be45bcbd3bc
version: 4
visibility: anonymous,support
}
|
app.session.create_job_open_in_search_clicked
|
User clicked on the button to open the SPL query in search from within the "Create Job" dialog. | {
component: app.session.create_job_open_in_search_clicked
data: {
app: Splunk_App_for_Anomaly_Detection
page: start
search: | inputlookup kpi.csv | dedup _time | sort _time | fit StateSpaceForecast input period=24 as preds | anomconfidences field_name=input pred_name=preds conf_name=anomConf | eval thresh = 0.6681 | eval isOutlier = if(anomConf >= thresh, 1, 0) | anomintervals field_name=input conf_name=anomConf anom_name=isOutlier | table _time, input, isOutlier, anomConf
source: UI Telemetry
}
deploymentID: c551ac66-1d97-5dc7-98ac-634bcc99ebee
eventID: 87877205-355b-f3f8-2c9e-30bda02fc50e
experienceID: ffc7e5a5-44dc-92ec-ffbd-e34b1dae7a62
optInRequired: 3
splunkVersion: 9.0.3
timestamp: 1677867086
userID: 3dd53389b7530de43e28ba58dead9cda506df188cf348f24c5984be45bcbd3bc
version: 4
visibility: anonymous,support
}
|
app.session.view_spl_clicked
|
User clicked on the button to open the SPL query in search from the main AD workflow UI. | {
component: app.session.view_spl_clicked
data: {
app: Splunk_App_for_Anomaly_Detection
page: start
search: | inputlookup kpi.csv | dedup _time | sort _time | fit StateSpaceForecast input period=24 as preds | anomconfidences field_name=input pred_name=preds conf_name=anomConf | eval thresh = 0.6681 | eval isOutlier = if(anomConf >= thresh, 1, 0) | anomintervals field_name=input conf_name=anomConf anom_name=isOutlier | table _time, input, isOutlier, anomConf
source: UI Telemetry
}
deploymentID: c551ac66-1d97-5dc7-98ac-634bcc99ebee
eventID: 0e7f77ee-a5ad-a78b-0d7d-85079cd7265e
experienceID: ffc7e5a5-44dc-92ec-ffbd-e34b1dae7a62
optInRequired: 3
splunkVersion: 9.0.3
timestamp: 1677867088
userID: 3dd53389b7530de43e28ba58dead9cda506df188cf348f24c5984be45bcbd3bc
version: 4
visibility: anonymous,support
}
|
app.session.delete_job_successful
|
Deleting a job was successful. | {
component: app.session.delete_job_successful
data: {
app: Splunk_App_for_Anomaly_Detection
page: start
rowData: {
alertExpiresTimeUnit: h
alertExpiresValue: 24
cronSchedule:
description: got4 milk?
emailTo:
name: got4 milk?
search: | inputlookup kpi.csv | dedup _time | sort _time | fit StateSpaceForecast input period=24 as preds | anomconfidences field_name=input pred_name=preds conf_name=anomConf | eval thresh = 0.878 | eval isOutlier = if(anomConf >= thresh, 1, 0) | anomintervals field_name=input conf_name=anomConf anom_name=isOutlier | table _time, input, isOutlier, anomConf
}
source: UI Telemetry
}
deploymentID: c551ac66-1d97-5dc7-98ac-634bcc99ebee
eventID: c7c9a89f-40dd-cbfa-d47f-84909faf0cfd
experienceID: e3567a53-e173-e2df-2d85-e4911b77d2b2
optInRequired: 3
splunkVersion: 9.0.3
timestamp: 1678910922
userID: 3dd53389b7530de43e28ba58dead9cda506df188cf348f24c5984be45bcbd3bc
version: 4
visibility: anonymous,support
}
|
app.session.delete_model_artifact_successful
|
Deleting model artifacts associated with a job that was deleted was successful. | {
component: app.session.delete_model_artifact_successful
data: {
app: Splunk_App_for_Anomaly_Detection
cronSchedule:
page: start
rowData: {
alertExpiresTimeUnit: h
alertExpiresValue: 24
}
source: UI Telemetry
}
deploymentID: 821a4186-5c1e-5c26-bc39-355b7a6d8559
eventID: a8174b63-e49c-ffc8-a560-a87ce2bcdcf4
experienceID: 079cf05d-ff0a-cf56-09ed-61499468e16b
optInRequired: 3
splunkVersion: 9.0.1
timestamp: 1680287440
userID: e0c7c133de97dccf5e30df7e77afb4c27de23536979fa897c36534b7c2b36fab
version: 4
visibility: anonymous,support
}
|
app.Splunk_App_for_Anomaly_Detection.anomalyapp
|
The data health check result. For example, if data contains missing values, or timestamps are unevenly spaced. | {
app: Splunk_App_for_Anomaly_Detection
component: app.Splunk_App_for_Anomaly_Detection.anomalyapp
data: {
count: 3
message: Health check score: 2; No data quality issues detected.
}
deploymentID: a2cbe2e4-ae0e-5dd1-9e15-af9aeff49113
eventID: 7755BDFD-3BD5-4FA7-9D07-8EE044B378C3
executionID: DEB3F0F8-3319-4B64-807E-581EE9BD2DF4
optInRequired: 3
timestamp: 1678880187
type: aggregate
visibility: [
]
}
|
app.Splunk_App_for_Anomaly_Detection.anomalyapp
|
The number of anomalies/ anomalous intervals detected in the data. | {
app: Splunk_App_for_Anomaly_Detection
component: app.Splunk_App_for_Anomaly_Detection.anomalyapp
data: {
count: 5
message: 1 anomalous interval(s) found.
}
deploymentID: db49a47c-7c97-544e-9236-f5e2f7547600
eventID: C09FA2A1-A9F4-498F-9DD4-D6050FFACD00
executionID: 46D024B4-E1EA-4394-BB47-966D92C731C0
optInRequired: 3
timestamp: 1678895466
type: aggregate
visibility: [
]
}
|
app.Splunk_App_for_Anomaly_Detection.anomalyapp
|
The length of the seasonal/periodic component (if one is found) in the data. | {
app: Splunk_App_for_Anomaly_Detection
component: app.Splunk_App_for_Anomaly_Detection.anomalyapp
data: {
count: 1
message: Detected seasonal period length: 1
}
deploymentID: a676d989-ba85-599f-91c2-9cb0c16722ed
eventID: 9A7BBCAC-B0CE-48E5-A4FD-52FE37763AB2
executionID: 15BA56B4-06DD-4420-A86A-D2BA2496EA1B
optInRequired: 3
timestamp: 1678876382
type: aggregate
visibility: [
]
}
|
app.Splunk_App_for_Anomaly_Detection.anomalyapp
|
Whether the user is running the app with Splunk preinstalled dataset or with their own data. | {
app: Splunk_App_for_Anomaly_Detection
component: app.Splunk_App_for_Anomaly_Detection.anomalyapp
data: {
count: 1
message: Using our included inputlookup data
}
deploymentID: a2cbe2e4-ae0e-5dd1-9e15-af9aeff49113
eventID: DA0A3667-BF04-4427-8F77-339AB11079A2
executionID: DEB3F0F8-3319-4B64-807E-581EE9BD2DF4
optInRequired: 3
timestamp: 1678880187
type: aggregate
visibility: [
anonymous
]
}
|
app.Splunk_App_for_Anomaly_Detection.anomalyapp
|
The top and bottom 5 anomaly confidence scores found in the data. | {
app: Splunk_App_for_Anomaly_Detection
component: app.Splunk_App_for_Anomaly_Detection.anomalyapp
data: {
count: 1
message: Top 5 anomConfs: [0.9433 0.8127 0.7784 0.7269 0.7113]
}
deploymentID: a2cbe2e4-ae0e-5dd1-9e15-af9aeff49113
eventID: F939CAC7-E468-4490-9915-BA448068533D
executionID: DEB3F0F8-3319-4B64-807E-581EE9BD2DF4
optInRequired: 3
timestamp: 1678880187
type: aggregate
visibility: [
]
}
|
app.Splunk_App_for_Anomaly_Detection.anomalyapp
|
How long our custom algorithm took to run. Encompasses all backend computation other than the SPL query execution time. | {
app: Splunk_App_for_Anomaly_Detection
component: app.Splunk_App_for_Anomaly_Detection.anomalyapp
data: {
count: 1
message: Total execution time in seconds for `fit AutoAnomalyDetection` call: 0.5578451156616211
}
deploymentID: a2cbe2e4-ae0e-5dd1-9e15-af9aeff49113
eventID: 813454ED-EDF5-488E-8BE2-00E3B64F5D01
executionID: A2D51B94-F483-4367-AB4A-FA92B6DC5597
optInRequired: 3
timestamp: 1678972625
type: aggregate
visibility: [
]
}
|
app.Splunk_App_for_Anomaly_Detection.anomalyapp
|
The data resolution. The spacing between timestamps, in number of seconds. | {
app: Splunk_App_for_Anomaly_Detection
component: app.Splunk_App_for_Anomaly_Detection.anomalyapp
data: {
count: 1
message: Data resolution: 3600.0 seconds.
}
deploymentID: a2cbe2e4-ae0e-5dd1-9e15-af9aeff49113
eventID: 813454ED-EDF5-488E-8BE2-00E3B64F5D01
executionID: A2D51B94-F483-4367-AB4A-FA92B6DC5597
optInRequired: 3
timestamp: 1678972625
type: aggregate
visibility: [
]
}
|
app.Splunk_App_for_Anomaly_Detection.anomalyapp
|
Range of the data values. Number of orders of magnitude between highest and lowest value. | {
app: Splunk_App_for_Anomaly_Detection
component: app.Splunk_App_for_Anomaly_Detection.anomalyapp
data: {
count: 1
message: Data varies over 0.5844700114060526 orders of magnitude.
}
deploymentID: a2cbe2e4-ae0e-5dd1-9e15-af9aeff49113
eventID: 813454ED-EDF5-488E-8BE2-00E3B64F5D01
executionID: A2D51B94-F483-4367-AB4A-FA92B6DC5597
optInRequired: 3
timestamp: 1678972625
type: aggregate
visibility: [
]
}
|
Last modified on 27 June, 2023
| Splunk App for Anomaly Detection workflow | Support for the Splunk App for Anomaly Detection |
This documentation applies to the following versions of Splunk® App for Anomaly Detection: 1.0.0
Download manual
Feedback submitted, thanks!