outlier
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
outlier
Synopsis
Removes outlying numerical values.
Syntax
outlier [<outlier-option>]* [<field-list>]
Arguments
- <outlier-option>
- Syntax: <outlier-action-opt> | <outlier-param-opt> | <outlier-type-opt> | <outlier-uselower-opt>
- Description: Outlier options.
- <field-list>
- Syntax: <string>, ...
- Description: Comma-delimited list of field names.
Outlier options
- <outlier-type-opt>
- Syntax: type=iqr
- Description: Type of outlier detection. Currently, the only option available is IQR (inter-quartile range).
- <outlier-action-opt>
- Syntax: action=(rm|remove|tf|transform)
- Description: Specify what to do with outliers. RM | REMOVE removes the event containing the outlying numerical value. TF | TRANSFORM truncates the outlying value to the threshold for outliers and prefixes the value with "000". By default, action=rm.
- <outlier-param-opt>
- Syntax: param=<num>
- Description: Parameter controlling the threshold of outlier detection. For type=IQR, an outlier is defined as a numerical value that is outside of param multiplied the inter-quartile range. By default, param=2.5.
- <outlier-uselower-opt>
- Syntax: uselower=<bool>
- Description: Controls whether to look for outliers for values below the median. By default, uselower=f.
Description
Removes or truncates outlying numerical values in selected fields. If no fields are specified, then outlier will attempt to process all fields.
Examples
Example 1: For a timechart of webserver events, transform the outlying average CPU values.
404 host="webserver" | timechart avg(cpu_seconds) by host | outlier action=tfExample 2: Remove all outlying numerical values.
... | outlierSee also
anomalies, anomalousvalue, cluster, kmeans
This documentation applies to the following versions of Splunk: 4.0 , 4.0.1 , 4.0.2 , 4.0.3 , 4.0.4 , 4.0.5 , 4.0.6 , 4.0.7 , 4.0.8 , 4.0.9 , 4.0.10 , 4.0.11 View the Article History for its revisions.