anomalousvalue command computes an anomaly score for each field of each event, relative to the values of this field across other events. For numerical fields, it identifies or summarizes the values in the data that are anomalous either by frequency of occurrence or number of standard deviations from the mean.
For fields that are determined to be anomalous, a new field is added with the following scheme. If the field is numeric, such as
size, the new field will be
Anomaly_Score_Num(size). If the field is non-numeric, such as
name, the new field will be
anomalousvalue <av-options>... [action] [pthresh] [field-list]
- Syntax: minsupcount=<int> | maxanofreq=<float> | minsupfreq=<float> | minnormfreq=<float>
- Description: Specify one or more option to control which fields are considered for discriminating anomalies.
- Descriptions for the av-option arguments
- Syntax: maxanofreq=<float>
- Description: Maximum anomalous frequency is expressed as a floating point number between 0 and 1. Omits a field from consideration if the field is too frequently anomalous. If the ratio of anomalous occurrences of the field to the total number of occurrences of the field is greater than the
maxanofreqvalue, then the field is removed from consideration.
- Default 0.05
- Syntax: minnormfreq=<float>
- Description: Minimum normal frequency is expressed as a floating point number between 0 and 1. Omits a field from consideration if the field is not anomalous frequently enough. If the ratio of anomalous occurrences of the field to the total number of occurrences of the field is smaller than p, then the field is removed from consideration.
- Default: 0.01
- Syntax: minsupcount=<int>
- Description: Minimum supported count must be a positive integer. Drops a field that has a small number of occurrences in the input result set. If the field appears fewer than N times in the input events, the field is removed from consideration.
- Default: 100
- Syntax: minsupfreq=<float>
- Description: Minimum supported frequency is expressed as a floating point number between 0 and 1. Drops a field that has a low frequency of occurrence. The
minsupfreqargument checks the ratio of occurrences of the field to the total number of events. If this ratio is smaller than p the field is removed from consideration.
- Default: 0.05
- Syntax: action=annotate | filter | summary
- Description: Specify whether to return the anomaly score (annotate), filter out events that are not anomalous values (filter), or return a summary of anomaly statistics (summary).
- Default: filter
- Descriptions for the action arguments
- Syntax: action=annotate
- Description: The
annotateaction adds new fields to the events containing anomalous values. The fields that are added are
Anomaly_Score_Num(field), or both.
- Syntax: action=filter
- Description: The
filteraction returns events with anomalous values. Events without anomalous values are removed. The events that are returned are annotated, as described for
- Syntax: action=summary
- Description: The
summaryaction returns a table summarizing the anomaly statistics for each field generated. The table includes how many events contained this field, the fraction of events that were anomalous, what type of test (categorical or numerical) were performed, and so on.
Output field Description
The name of the field.
The number of times the field appears.
The number of unique values of the field.
The calculated mean of the field values.
The anomalous frequency of the categorical field.
The normal frequency of the categorical field.
The anomalous frequency of the numerical field.
The standard deviation of the field value.
The support frequency of the field.
Use categorical anomaly detection. Categorical anomaly detection looks for rare values.
Use numerical anomaly detection. Numerical anomaly detection looks for values that are far from the mean value. This anomaly detection is Gaussian distribution based.
Whether or not the field is numerical.
- Syntax: <field> ...
- Description: The List of fields to consider.
- Default: If no field list is provided, all fields are considered.
- Syntax: pthresh=<num>
- Description: Probability threshold (as a decimal) that has to be met for a value to be considered anomalous.
- Default: 0.01.
By default, a maximum of 50,000 results are returned. This maximum is controlled by the
maxresultrows setting in the
[anomalousvalue] stanza in the limits.conf file. Increasing this limit can result in more memory usage.
Only users with file system access, such as system administrators, can edit the configuration files. Never change or copy the configuration files in the default directory. The files in the default directory must remain intact and in their original location. Make the changes in the local directory.
Example 1: Return only uncommon values from the search results
... | anomalousvalue
This is the same as running the following search:
...| anomalousvalue action=filter pthresh=0.01
Example 2: Return uncommon values from the host "reports"
host="reports" | anomalousvalue action=filter pthresh=0.02
Example 3: Return a summary of the anomaly statistics for each numeric field.
source=/var/log* | anomalousvalue action=summary pthresh=0.02 | search isNum=YES
Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the anomalousvalue command.
This documentation applies to the following versions of Splunk® Enterprise: 4.3, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.3.5, 4.3.6, 4.3.7, 5.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.0.6, 5.0.7, 5.0.8, 5.0.9, 5.0.10, 5.0.11, 5.0.12, 5.0.13, 5.0.14, 5.0.15, 5.0.16, 5.0.17, 5.0.18, 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14, 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.1.11, 6.1.12, 6.1.13, 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.2.13, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 7.0.0, 7.0.1