About anomaly detection
This section describes anomaly detection. For a complete list of topics on detecting anomalies, finding and removing outliers, detecting patterns, and time series forecasting see About advanced statistics, in this manual.
Overview of anomaly detection
An anomaly is a deviation from the expected behavior of the system. An anomaly can be:
- A single event
- A sequence of events
- A sequence of transactions
- Complex patterns
Examples of common use cases for anomaly detection include:
Industry | Use case example |
---|---|
IT | Identifying a distributed denial of service (DDoS) attack from IP address ranges. |
Marketing | Rare but high-value customer purchase patterns. |
Product | Rare or previously unknown method of using a product that yields better results or yields results more efficiently than known methods. |
Security | Faster-than-human transactions. Detecting when transactions are being performed much more quickly by one user than by others. This could indicate a bot or an attempt to probe security measures. |
Effective anomaly detection
To perform effective anomaly detection, put all of the data in one place. If you do not have your machine and business data in the same place, you cannot perform a comprehensive analysis.
Begin tracking IT and business performance metrics. Additionally, create a baseline data image which shows the current state of your system.
See also
Commands for advanced statistics | Finding and removing outliers |
This documentation applies to the following versions of Splunk Cloud Platform™: 8.2.2112, 8.2.2201, 8.2.2202, 8.2.2203, 9.0.2205, 9.0.2208, 9.0.2209, 9.0.2303, 9.0.2305, 9.1.2308, 9.1.2312, 9.2.2403, 9.2.2406 (latest FedRAMP release), 9.3.2408
Feedback submitted, thanks!