outlier
Contents
outlier
Synopsis
Removes outlying numerical values.
Syntax
outlier <outlier-option>* [<field-list>]
Required arguments
- <outlier-option>
- Syntax: <action> | <param> | <type> | <uselower>
- Description: Outlier options.
Optional arguments
- <field-list>
- Syntax: <field>, ...
- Description: Comma-delimited list of field names.
Outlier options
- <type>
- Syntax: type=iqr
- Description: Type of outlier detection. Currently, the only option available is IQR (inter-quartile range).
- <action>
- Syntax: action=rm | remove | tf | transform
- Description: Specify what to do with outliers. RM | REMOVE removes the event containing the outlying numerical value. TF | TRANSFORM truncates the outlying value to the threshold for outliers and prefixes the value with "000". Defaults to rm.
- <param>
- Syntax: param=<num>
- Description: Parameter controlling the threshold of outlier detection. For type=IQR, an outlier is defined as a numerical value that is outside of param multiplied the inter-quartile range. Defaults to 2.5.
- <uselower>
- Syntax: uselower=<bool>
- Description: Controls whether to look for outliers for values below the median. Defaults to false|f.
Description
Removes or truncates outlying numerical values in selected fields. If no fields are specified, then outlier will attempt to process all fields.
Examples
Example 1: For a timechart of webserver events, transform the outlying average CPU values.
404 host="webserver" | timechart avg(cpu_seconds) by host | outlier action=tfExample 2: Remove all outlying numerical values.
... | outlierSee also
anomalies, anomalousvalue, cluster, kmeans
Answers
Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the outlier command.
This documentation applies to the following versions of Splunk: 4.1 , 4.1.1 , 4.1.2 , 4.1.3 , 4.1.4 , 4.1.5 , 4.1.6 , 4.1.7 , 4.1.8 , 4.2 , 4.2.1 , 4.2.2 , 4.2.3 , 4.2.4 , 4.2.5 , 4.3 View the Article History for its revisions.