The Outlier operator tracks the moving average and standard deviation of a value, and detects or alerts when the value differs from the mean by some multiple of the standard deviation, for example, 3 standard deviations.
Suppose we want to use Outlier to monitor the total bytes uploaded to Sumo Logic from many different IP addresses. Building a separate Outlier search for bytes uploaded for every IP isn't scalable, and applying Outlier to bytes uploaded for all IPs would not be useful. But we can monitor each IP addresses uploads in a separate stream, or dimension, using BY after the Outlier operator. This would create a multi-dimensional outlier operation.
| outlier size_in_bytes BY ip window=8, threshold=3, consecutive=2, direction=+ -- size_in_bytes - The parsed or aggregated value you are monitoring with Outlier.
-- Window - Specifies how far back to look to calculate the rolling standard deviation. -- Threshold - Specifies how many standard deviations from the rolling average the boundaries are, or how sensitive the search is in calling something a violation.
-- Consecutive - Represents how many consecutive violations are required to consider the behavior a true exception.
-- Direction - Allows you to specify whether values that are too high, too low, or both, are considered to be violations.
NOTE: Using the multi-dimensional outlier functionality disables the Outlier chart option, so it cannot be added to a Dashboard. This is because it would effectively create many Outlier charts for many different streams of data, overlaid.
To create a Dashboard, use a table chart in order to visualize violations and create alerts. Link to Outlier Documentation here: https://help.sumologic.com/Search/Search_Query_Language/Search_Operators/outlier
Please sign in to leave a comment.