Documentation > Splunk > Search Reference > anomalousvalue

Search Reference

 


Introduction
Search Overview
Search Commands and Functions
Search Command Reference
Custom Search Commands
Search in the CLI

anomalousvalue

Contents

anomalousvalue

Synopsis

Finds and summarizes irregular, or uncommon, search results.

Syntax

anomalousvalue <av-option> [action] [pthresh] [field-list]

Optional arguments

action
Syntax: action=annotate | filter | summary
Description: Specify whether to return the anomaly score (annotate), filter out events with anomalous values (filter), or a summary of anomaly statistics (summary). Defaults to filter.
<av-option>
Syntax: minsupcount=<integer> | maxanofreq=<float> | minsupfreq=<float> | minnormfreq=<float>
Description: Define the minimum number of rows that must contain a field in order to consider the field at all (minsupcount), the maximum frequency (as a decimal) for the value to be considered anomalous (maxanofreq), the minimum support frequency (minsupfreq), and the minimum normal frequency (minnormfreq). The minimum support frequency defines the smallest fraction of overall events that must contain a field, for that field to be considered anomalous. The minimum normal frequency defines the smallest fraction of times that a field's values must be considered normal, for the field to be used to determine if the event is anomalous.
pthresh
Syntax: pthresh=<num>
Description: Probably threshold (as a decimal) that has to be met for a value to be considered anomalous. Defaults to 0.01.

Description

Identifies or summarizes the values in the data that are anomalous either by frequency of occurrence or number of standard deviations from the mean.

Examples

Example 1: Return only uncommon values the search results.

... | anomalousvalue

This is the same as running the following search:

...| anomalousvalue action=filter pthresh=0.01
.

Example 2: Return uncommon values from the host "reports".

host="reports" | anomalousvalue action=filter pthresh=0.02

Example 3: Return a summary of the anomaly statistics for each numeric field.

source=/var/log* | anomalousvalue action=summary pthresh=0.02 | search isNum=YES

Ex Anomalousvalue3.png

See also

af, analyzefields, anomalies, cluster, kmeans, outlier

Answers

Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the anomalousvalue command.

Retrieved from "http://docs.splunk.com/Documentation/Splunk/4.3/SearchReference/Anomalousvalue"

This documentation applies to the following versions of Splunk: 4.1 , 4.1.1 , 4.1.2 , 4.1.3 , 4.1.4 , 4.1.5 , 4.1.6 , 4.1.7 , 4.1.8 , 4.2 , 4.2.1 , 4.2.2 , 4.2.3 , 4.2.4 , 4.2.5 , 4.3 View the Article History for its revisions.


You must be logged into splunk.com in order to post comments. Log in now.

Was this documentation topic helpful?

If you'd like to hear back from us, please provide your email address:

We'd love to hear what you think about this topic or the documentation as a whole. Feedback you enter here will be delivered to the documentation team.