Detect Categorical Outliers
The Detect Categorical Outliers assistant finds data that are indicative of interesting, unusual, and possibly dangerous events. This assistant allows non-numeric and multi-dimensional data, such as string identifiers and IP addresses.
Algorithm
- Probabilistic measures
Workflow
To detect categorical outliers, you input data and select the fields for which to look for unusual combinations or a coincidence of rare values. When a lot fields have rare values, the result is an outlier. The basic steps are as follows:
- Enter a search to retrieve your data, then click the search button to run it.
- Select the fields you want to analyze. This list of fields is populated by the search you just ran.
- Click Detect Outliers.
Interpret and validate
After you fit the model, review the Validate Model section to see how many outliers are identified. The expectation is to have a few outliers.
- Outliers: Shows the number of events flagged as outliers.
- Total Events: Shows the total number of events that were evaluated.
- Data and Outliers: Shows a list of the events that are marked outliers, stating the reason that the event is marked as an outlier.
Deploy outlier detection
Once you have detected outliers, review the options in the Deploy Model section:
- Clicking any title takes you to a new Search tab, filled out with a search query to replicate the outlier detection calculations.
- Using a search query, you can set up an alert to detect when the number of outliers exceeds a certain value.
| Detect Numeric Outliers | Forecast Time Series |
This documentation applies to the following versions of Splunk® Machine Learning Toolkit: 1.0.0, 1.1.0, 1.2.0
Download manual
Feedback submitted, thanks!