Known issues

If you invoke timechart with a resolution finer than the data, the missing values are filled with null rather than 0. As a result, if you invoke interpolatemissingvalues afterwards, the search command will raise an exception since it will try to interpolate too many values, and fail the "don't interpolate too much data" condition. Technically, all pieces are working correctly here, but the outcome can still be unexpected.

Workaround:
This issue can be worked around by adding | fillnull between timechart and interpolatemissingvalues.

Splunk automatically infers daylight savings time, which causes duplicate timestamps to be generated in otherwise evenly spaced data. For example, on the day we "jump forward" in March, 2AM and 3AM will both map to 3AM. This causes both interpolatemissingvalues or timeseriesregularitycheck to detect the time series as unevenly spaced, and thus, force the user to aggregate their data.

Workaround:
This issue can be worked around by including | dedup _time in the SPL query before invoking the search commands. Note that this doesn't correctly handle the issue, it just prevents the commands from raising an exception.

If your search in Step 2 returns 0 events, you see this error message: "No matching fields exist. Make sure that your search results contain the _time field." This error message shows even if you have a _time field in your data. To confirm, try re-running the search in the "Search" tab of the app.

Under certain conditions, AutoAnomalyDetection can raise an exception like:
Error in 'fit' command: Error while fitting "AutoAnomalyDetection" model: Error: Found array with 0 feature(s) (shape=(141, 0)) while a minimum of 1 is required.
It appears to happen with shorter time series, as a test dataset worked when aggregated on 2-hour windows (96 records), but failed on a 4-hour window (48 records).

If your query in Step 2 returns multiple numeric fields, these fields show in the "Field for Detection" dropdown in Step 3. However, once you choose a field, the other numeric fields no longer show in the dropdown.

Workaround:
As a workaround, if you want to change the field you selected, re-run the search in Step 2.

In an environment with many apps (>100) installed on the Splunk instance, even if you have PSC & MLTK installed, it is possible that a warning banner will be shown on AnomalyApp's landing page indicating that PSC and / or MLTK have not been installed. This is because we currently only look for them among the first 100 apps listed. The warning message is irrelevant in this scenario and needs to be fixed so it looks beyond the first 100 apps to find our dependencies.

Workaround:
As a workaround, ignore the warning message and continue using the app.