This command is used to remove outliers, not detect them. It removes or truncates outlying numeric values in selected fields. If no fields are specified, then the
outlier command attempts to process all fields.
Filtering is based on the inter-quartile range (IQR), which is computed from the difference between the 25th percentile and 75th percentile values of the numeric fields. If the value of a field in an event is less than
(25th percentile) - param*IQR or greater than
(75th percentile) + param*IQR , that field is transformed or that event is removed based on the
To identify outliers and create alerts for outliers, see finding and removing outliers in the Search Manual.
outlier <outlier-options>... [<field-list>]
- Syntax: <action> | <mark> | <param> | <uselower>
- Description: Outlier options.
- Syntax: <field> ...
- Description: A space-delimited list of field names.
- Syntax: action=remove | transform
- Description: Specifies what to do with the outliers. The
removeoption removes events that containing the outlying numerical values. The
transformoption truncates the outlying values to the threshold for outliers. If
mark=true, prefixes the values with "000".
- Abbreviations: The
removeaction can be shorted to
transformaction can be shorted to
- Default: transform
- Syntax: mark=<bool>
- Description: If
mark=true, prefixes the outlying values with "000". If
markargument has no effect.
- Default: false
- Syntax: param=<num>
- Description: Parameter controlling the threshold of outlier detection. An outlier is defined as a numerical value that is outside of
parammultiplied by the inter-quartile range (IQR).
- Default: 2.5
- Syntax: uselower=<bool>
- Description: Controls whether to look for outliers for values below the median in addition to above.
- Default: false
Example 1: For a timechart of webserver events, transform the outlying average CPU values.
404 host="webserver" | timechart avg(cpu_seconds) by host | outlier action=tf
Example 2: Remove all outlying numerical values.
... | outlier
Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the outlier command.
This documentation applies to the following versions of Splunk Cloud™: 6.6.3, 8.0.1, 7.1.3, 7.0.2, 7.0.3, 7.0.5, 7.0.8, 7.0.11, 7.1.6, 7.0.0, 7.2.3, 7.2.4, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 8.0.0