Documentation > Splunk > Search Reference > anomalies

Search Reference

 


Welcome
Search Overview
Search Commands
Custom Search Commands

anomalies

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.

Contents

anomalies

Synopsis

Computes an unexpectedness score for an event.

Syntax

anomalies [threshold=num] [labelonly=bool] [normalize=bool] [maxvalues=int] [field=field] [blacklist=filename] [blacklistthreshold=num] [by-clause]

Arguments

threshold
Datatype: <num>
Description:
labelonly
Datatype: <bool>
Description:
normalize
Datatype: <bool>
Description:
maxvalues
Datatype: <int>
Description:
field
Datatype: <field>
Description:
blacklist
Datatype: <filename>
Description:
blacklistthreshold
Datatype: <num>
Description:


Description

Determines the degree of unexpectedness of an event's field value, based on the previous maxvalue events. By default it removes events that are well expected (unexpectedness > threshold). The default threshold is 0.01. If labelonly is true, no events are removed, and the unexpectedness attribute is set on all events. The field analyzed by default is _raw. By default, normalize is true, which normalizes numerics. For cases where field contains numeric data that should not be normalized, but treated as categories, set normalize=false. The blacklist is a name of a csv file of events in splunk_home/var/run/splunk/BLACKLIST.csv, such that any incoming events that are similar to the blacklisted events are treated as not anomalous (i.e., uninteresting) and given an unexpectedness score of 0.0. Events that match blacklisted events with a similarity score above blacklistthreshold (defaulting to 0.05) are marked as unexpected. The inclusion of a 'by' clause, allows the specification of a list of fields to segregate results for anomaly detection. for each combination of values for the specified field(s), events with those values are treated entirely separately. therefore, 'anomalies by source' will look for anomalies in each source separately -- a pattern in one source will not affect that it is anomalous in another source.

Examples

Example 1: Show most interesting events first, ignoring any in the blacklist 'boringevents'.

... | anomalies blacklist=boringevents | sort -unexpectedness

Example 2: Use with transactions to find regions of time that look unusual.

... | transam maxpause=2s | anomalies

Example 3: Return only anomalous events.

... | anomalies


See also

anomalousvalue, cluster, kmeans, outlier

Retrieved from "http://docs.splunk.com/Documentation/Splunk/4.0.5/SearchReference/Anomalies"

This documentation applies to the following versions of Splunk: 4.0 , 4.0.1 , 4.0.2 , 4.0.3 , 4.0.4 , 4.0.5 , 4.0.6 , 4.0.7 , 4.0.8 , 4.0.9 , 4.0.10 , 4.0.11 View the Article History for its revisions.


You must be logged into splunk.com in order to post comments. Log in now.

Was this documentation topic helpful?

If you'd like to hear back from us, please provide your email address:

We'd love to hear what you think about this topic or the documentation as a whole. Feedback you enter here will be delivered to the documentation team.

Feedback submitted, thanks!