anomaly
anomaly
Detect statistical outliers using z-score or MAD (Median Absolute Deviation) analysis.
Description
The anomaly command identifies events that are statistical outliers. It supports two detection methods:
- Z-score (default): Uses mean and standard deviation
- MAD: Uses median and Median Absolute Deviation, more robust to outliers in the data
Syntax
... | anomaly field=<field> [by <field>] [threshold=<number>] [method=zscore|mad]Required Arguments
field
Syntax: field=<field>
Description: Numeric field to analyze for anomalies
Optional Arguments
by
Syntax: by <field> or by=<field>
Description: Calculate statistics separately for each value of this field
threshold
Syntax: threshold=<number>
Description: Number of standard deviations (or MAD equivalents) for outlier detection
Default: 3
method
Syntax: method=zscore|mad
Description: Detection method to use
Default: zscore
| Method | Description |
|---|---|
zscore | Z-score using mean and standard deviation |
mad | Median Absolute Deviation, robust to outliers |
Output Fields
Both methods produce anomaly_score — a normalized score where higher values = more anomalous. The score represents how many standard deviations (or MAD equivalents) the value is from the center. For example, a score of 3.2 means the value is 3.2 standard deviations from the mean/median.
| Score Range | Interpretation |
|---|---|
| 0 - 2 | Normal range |
| 2 - 3 | Unusual (95-99.7% confidence) |
| 3 - 4 | Highly anomalous (>99.7% confidence) |
| 4+ | Extreme outlier |
Z-score method (default)
| Field | Description |
|---|---|
avg_val | Mean of the field values |
stddev_val | Standard deviation of the field values |
anomaly_score | Number of standard deviations from the mean (higher = more anomalous) |
is_anomaly | 1 if anomaly_score exceeds the threshold, 0 otherwise |
MAD method
| Field | Description |
|---|---|
median_val | Median of the field values |
mad_val | Median Absolute Deviation |
anomaly_score | Scaled deviation from median, comparable to z-score (higher = more anomalous) |
is_anomaly | 1 if anomaly_score exceeds the threshold, 0 otherwise |
Examples
Detect unusual data transfers
* | anomaly field=bytes_out threshold=3Anomalous response times per endpoint
* | anomaly field=response_time by endpoint threshold=2.5Using MAD for outlier-resistant detection
* | anomaly field=bytes_out method=mad threshold=3MAD is useful when your data may already contain outliers that would skew the mean/stddev calculation.
Unusual login counts with MAD
* | bin span=1h
| stats count() as login_count by time_bucket, user
| anomaly field=login_count by user method=mad threshold=3Network traffic anomalies
* | anomaly field=bytes by src_ip threshold=2Detect performance degradation
* | anomaly field=response_time by service_name threshold=2
| where is_anomaly=trueUnusual file sizes
action=file_created
| anomaly field=file_size by file_type threshold=3Process CPU anomalies using MAD
* | anomaly field=cpu_usage by process_name method=mad threshold=2.5Detect data exfiltration
* | bin span=5m
| stats sum(bytes_out) as outbound by time_bucket, src_ip
| anomaly field=outbound by src_ip threshold=3Usage Notes
Z-score method: Calculates (value - mean) / stddev. Best for normally distributed data.
MAD method: Calculates deviation from median using Median Absolute Deviation. The scale factor 1.4826 makes MAD comparable to standard deviation for normal distributions. Better for data with existing outliers.
Threshold: Common values are 2 (95% confidence), 2.5 (98%), or 3 (99.7%).
Minimum data: Requires sufficient data points for meaningful statistics.
Grouping: by parameter calculates separate statistics per group.
Choosing a method:
- Use
zscore(default) for clean data that is approximately normally distributed - Use
madwhen data may contain outliers that shouldn't influence the threshold
Related Commands
- eventstats - Calculate statistics for comparison
- where - Filter anomalous events
- eval - Custom anomaly calculations