Documentation > Splunk > Search Reference > outlier

Search Reference

 


Introduction
Search Overview
Search Reference Overview
Search Commands and Functions
Search Command Reference
Custom Search Commands
Internal Search Commands
Search in the CLI

outlier

Contents

outlier

Synopsis

Removes outlying numerical values.

Syntax

outlier <outlier-option>* [<field-list>]

Required arguments

<outlier-option>
Syntax: <action> | <param> | <type> | <uselower>
Description: Outlier options.

Optional arguments

<field-list>
Syntax: <field>, ...
Description: Comma-delimited list of field names.

Outlier options

<type>
Syntax: type=iqr
Description: Type of outlier detection. Currently, the only option available is IQR (inter-quartile range).
<action>
Syntax: action=rm | remove | tf | transform
Description: Specify what to do with outliers. RM | REMOVE removes the event containing the outlying numerical value. TF | TRANSFORM truncates the outlying value to the threshold for outliers and prefixes the value with "000". Defaults to tf.
<param>
Syntax: param=<num>
Description: Parameter controlling the threshold of outlier detection. For type=IQR, an outlier is defined as a numerical value that is outside of param multiplied the inter-quartile range. Defaults to 2.5.
<uselower>
Syntax: uselower=<bool>
Description: Controls whether to look for outliers for values below the median. Defaults to false|f.

Description

Removes or truncates outlying numerical values in selected fields. If no fields are specified, then outlier will attempt to process all fields.

Examples

Example 1: For a timechart of webserver events, transform the outlying average CPU values.

404 host="webserver" | timechart avg(cpu_seconds) by host | outlier action=tf

Example 2: Remove all outlying numerical values.

... | outlier

See also

anomalies, anomalousvalue, cluster, kmeans

Answers

Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the outlier command.

Retrieved from "http://docs.splunk.com/Documentation/Splunk/4.3/SearchReference/Outlier"

This documentation applies to the following versions of Splunk: 4.1 , 4.1.1 , 4.1.2 , 4.1.3 , 4.1.4 , 4.1.5 , 4.1.6 , 4.1.7 , 4.1.8 , 4.2 , 4.2.1 , 4.2.2 , 4.2.3 , 4.2.4 , 4.2.5 , 4.3 , 4.3.1 , 4.3.2 , 4.3.3 , 4.3.4 , 4.3.5 , 4.3.6 , 5.0 , 5.0.1 , 5.0.2 View the Article History for its revisions.


Comments

Kbern, you're correct. the default is action=tf. I've corrected the docs. Thank you!

Sophy, Splunker
April 6, 2012

The documentation for "outlier" (above) says that "action", "Defaults to rm". That is not what I'm seeing in Splunk 4.2.3... I'm seeing it default to TF

Kbern
March 22, 2012

You must be logged into splunk.com in order to post comments. Log in now.

Was this documentation topic helpful?

If you'd like to hear back from us, please provide your email address:

We'd love to hear what you think about this topic or the documentation as a whole. Feedback you enter here will be delivered to the documentation team.

Feedback submitted, thanks!