Documentation > Splunk > Search Reference > anomalousvalue

Search Reference

 


Introduction
Search Overview
Search Reference Overview
Search Commands and Functions
Search Command Reference
Custom Search Commands
Internal Search Commands
Search in the CLI

anomalousvalue

Contents

anomalousvalue

Synopsis

Finds and summarizes irregular, or uncommon, search results.

Syntax

anomalousvalue <av-option> [action] [pthresh] [field-list]

Required arguments

<av-option>
Syntax: minsupcount=<integer> | maxanofreq=<float> | minsupfreq=<float> | minnormfreq=<float>
Description: Fields that occur only in a couple of events aren't very informative (which one of three values is anomalous?). minsupcount, maxanofreq, minsupfreq, and minnormfreq set thresholds to filter out these uninformative fields.
  • maxanofreq=p Omits a field from consideration if more than a fraction p of the events that it appears in would be considered anomalous.
  • minnormfreq=p Omits a field from consideration if less than a fraction p of the events that it appears in would be considered normal.
  • minsupcount=N Specifies that a field must appear in at least N of the events anomalousvalue processes to be considered for deciding which fields are anomalous.
  • minsupfreq=p Identical to minsupcount, but instead of specifying an absolute number N of events, specify a minimum fraction of events p (between 0 and 1).

Optional arguments

action
Syntax: action=annotate | filter | summary
Description: Specify whether to return the anomaly score (annotate), filter out events with anomalous values (filter), or a summary of anomaly statistics (summary). Defaults to filter.
  • If action is annotate, a new field is added to the event containing the anomalous value that indicates the anomaly score of the value.
  • If action is filter, events with anomalous value(s) are isolated.
  • If action is summary, a table summarizing the anomaly statistics for each field is generated.
field-list
Syntax: <field>, ...
Description: List of fields to consider.
pthresh
Syntax: pthresh=<num>
Description: Probability threshold (as a decimal) that has to be met for a value to be considered anomalous. Defaults to 0.01.

Description

The anomalousvalue command looks at the entire event set and considers the distribution of values when deciding if a value is anomalous or not. For numerical fields, it identifies or summarizes the values in the data that are anomalous either by frequency of occurrence or number of standard deviations from the mean.

Examples

Example 1: Return only uncommon values from the search results.

... | anomalousvalue

This is the same as running the following search:

...| anomalousvalue action=filter pthresh=0.01
.

Example 2: Return uncommon values from the host "reports".

host="reports" | anomalousvalue action=filter pthresh=0.02

Example 3: Return a summary of the anomaly statistics for each numeric field.

source=/var/log* | anomalousvalue action=summary pthresh=0.02 | search isNum=YES

Ex Anomalousvalue3.png

See also

af, analyzefields, anomalies, cluster, kmeans, outlier

Answers

Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the anomalousvalue command.

Retrieved from "http://docs.splunk.com/Documentation/Splunk/4.2.3/SearchReference/Anomalousvalue"

This documentation applies to the following versions of Splunk: 4.1 , 4.1.1 , 4.1.2 , 4.1.3 , 4.1.4 , 4.1.5 , 4.1.6 , 4.1.7 , 4.1.8 , 4.2 , 4.2.1 , 4.2.2 , 4.2.3 , 4.2.4 , 4.2.5 , 4.3 , 4.3.1 , 4.3.2 , 4.3.3 , 4.3.4 , 4.3.5 , 4.3.6 , 5.0 , 5.0.1 , 5.0.2 View the Article History for its revisions.


You must be logged into splunk.com in order to post comments. Log in now.

Was this documentation topic helpful?

If you'd like to hear back from us, please provide your email address:

We'd love to hear what you think about this topic or the documentation as a whole. Feedback you enter here will be delivered to the documentation team.

Feedback submitted, thanks!