Splunk® Enterprise

Search Reference

Download manual as PDF

Download topic as PDF

outlier

Description

This command is used to remove outliers, not detect them. It removes or truncates outlying numeric values in selected fields. If no fields are specified, then the outlier command attempts to process all fields.

Filtering is based on the inter-quartile range (IQR), which is computed from the difference between the 25th percentile and 75th percentile values of the numeric fields. If the value of a field in an event is less than (25th percentile) - param*IQR or greater than (75th percentile) + param*IQR , that field is transformed or that event is removed based on the action parameter.

To identify outliers and create alerts for outliers, see finding and removing outliers in the Search Manual.

Syntax

outlier <outlier-options>... [<field-list>]

Optional arguments

<outlier-options>
Syntax: <action> | <mark> | <param> | <uselower>
Description: Outlier options.
<field-list>
Syntax: <field> ...
Description: A space-delimited list of field names.

Outlier options

<action>
Syntax: action=remove | transform
Description: Specifies what to do with the outliers. The remove option removes events that containing the outlying numerical values. The transform option truncates the outlying values to the threshold for outliers. If action=transform and mark=true, prefixes the values with "000".
Abbreviations: The remove action can be shorted to rm. The transform action can be shorted to tf.
Default: transform
<mark>
Syntax: mark=<bool>
Description: If action=transform and mark=true, prefixes the outlying values with "000". If action=remove, the mark argument has no effect.
Default: false
<param>
Syntax: param=<num>
Description: Parameter controlling the threshold of outlier detection. An outlier is defined as a numerical value that is outside of param multiplied by the inter-quartile range (IQR).
Default: 2.5
<uselower>
Syntax: uselower=<bool>
Description: Controls whether to look for outliers for values below the median in addition to above.
Default: false

Examples

Example 1: For a timechart of webserver events, transform the outlying average CPU values.

404 host="webserver" | timechart avg(cpu_seconds) by host | outlier action=tf

Example 2: Remove all outlying numerical values.

... | outlier

See also

anomalies, anomalousvalue, cluster, kmeans

Finding and removing outliers

Answers

Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the outlier command.

PREVIOUS
nomv
  NEXT
outputcsv

This documentation applies to the following versions of Splunk® Enterprise: 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 6.6.8, 6.6.9, 6.6.10, 6.6.11, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.2.0, 7.2.1


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters