anomalousvalue
anomalousvalue
Synopsis
Finds and summarizes irregular, or uncommon, search results.
Syntax
anomalousvalue <av-option> [action] [pthresh] [field-list]
Required arguments
- <av-option>
- Syntax: minsupcount=<integer> | maxanofreq=<float> | minsupfreq=<float> | minnormfreq=<float>
- Description: Fields that occur only in a couple of events aren't very informative (which one of three values is anomalous?). minsupcount, maxanofreq, minsupfreq, and minnormfreq set thresholds to filter out these uninformative fields.
-
maxanofreq=pOmits a field from consideration if more than a fraction p of the events that it appears in would be considered anomalous. -
minnormfreq=pOmits a field from consideration if less than a fraction p of the events that it appears in would be considered normal. -
minsupcount=NSpecifies that a field must appear in at least N of the eventsanomalousvalueprocesses to be considered for deciding which fields are anomalous. -
minsupfreq=pIdentical to minsupcount, but instead of specifying an absolute number N of events, specify a minimum fraction of events p (between 0 and 1).
Optional arguments
- action
- Syntax: action=annotate | filter | summary
- Description: Specify whether to return the anomaly score (annotate), filter out events with anomalous values (filter), or a summary of anomaly statistics (summary). Defaults to filter.
- If action is
annotate, a new field is added to the event containing the anomalous value that indicates the anomaly score of the value. - If action is
filter, events with anomalous value(s) are isolated. - If action is
summary, a table summarizing the anomaly statistics for each field is generated.
- field-list
- Syntax: <field>, ...
- Description: List of fields to consider.
- pthresh
- Syntax: pthresh=<num>
- Description: Probability threshold (as a decimal) that has to be met for a value to be considered anomalous. Defaults to 0.01.
Description
The anomalousvalue command looks at the entire event set and considers the distribution of values when deciding if a value is anomalous or not.
For numerical fields, it identifies or summarizes the values in the data that are anomalous either by frequency of occurrence or number of standard deviations from the mean.
Examples
Example 1: Return only uncommon values from the search results.
... | anomalousvalueThis is the same as running the following search:
...| anomalousvalue action=filter pthresh=0.01Example 2: Return uncommon values from the host "reports".
host="reports" | anomalousvalue action=filter pthresh=0.02Example 3: Return a summary of the anomaly statistics for each numeric field.
source=/var/log* | anomalousvalue action=summary pthresh=0.02 | search isNum=YES
See also
af, analyzefields, anomalies, cluster, kmeans, outlier
Answers
Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the anomalousvalue command.
This documentation applies to the following versions of Splunk: 4.1 , 4.1.1 , 4.1.2 , 4.1.3 , 4.1.4 , 4.1.5 , 4.1.6 , 4.1.7 , 4.1.8 , 4.2 , 4.2.1 , 4.2.2 , 4.2.3 , 4.2.4 , 4.2.5 , 4.3 , 4.3.1 , 4.3.2 View the Article History for its revisions.