From Zero to Hero in Anomaly Detection with One Simple Command in Splunk !

Authors: Herrick Lai (Splunk) and Walter Lee (WF)

source: https://stratusinnovations.com/blog/introduction-to-predictive-analytics-anomaly-detection/

We learned this simple but powerful Splunk Command, Anomalydetection, in .conf19 talks by Matt Portnoy (FIN1945) and Jason Barnette/Bryan Thiry (SEC1178).

e.g. demo with the Splunk ButterCup Games test dataset.

When we use SPL “index= sales sourcetype=vendor_sales” for last 7 days, then 755 events.

source: Walter Lee tests on ButterCup Games demo dataset

We just add “| Anomalydetection”, then it found ONLY 1 Special event with details.

source: Walter Lee tests on ButterCup Games demo dataset

We can then add some options to see more, e.g. “| Anomalydetection action=summary” to see more details below.

source: Walter Lee tests on ButterCup Games demo dataset

There are 3 methods, i.e. “method = histogram | zscore | iqr”.