From Zero to Hero in Anomaly Detection with One Simple Command in Splunk !
Authors: Herrick Lai (Splunk) and Walter Lee (WF)
We learned this simple but powerful Splunk Command, Anomalydetection, in .conf19 talks by Matt Portnoy (FIN1945) and Jason Barnette/Bryan Thiry (SEC1178).
e.g. demo with the Splunk ButterCup Games test dataset.
When we use SPL “index= sales sourcetype=vendor_sales” for last 7 days, then 755 events.
We just add “| Anomalydetection”, then it found ONLY 1 Special event with details.
We can then add some options to see more, e.g. “| Anomalydetection action=summary” to see more details below.
There are 3 methods, i.e. “method = histogram | zscore | iqr”.