Skip to main content
Sumo Logic

About Anomaly Detection

Anomaly Detection uses machine learning and logic to detect abnormalities in your environment while examining log messages as they are ingested into Sumo Logic.

Anomaly Detection first uses LogReduce to assign logs to Signatures. Think of Signatures as sets of messages that are grouped together by commonality—not all messages in a Signature may match exactly, but they are similar enough to logically be grouped together. Anomaly Detection then watches the general distribution of Signatures as your logs are ingested over time.

Once Anomaly Detection has sufficient knowledge to develop a baseline behavior of your log messages, abnormal deviations from the baseline are detected, then displayed in the Anomalies page as Events, which is an indicator that Anomaly Detection has noticed activity that warrants additional attention.

When Events appear in the Anomalies page, admins can teach Sumo Logic how to handle them by tagging them with varying degrees of importance, or as Unimportant—removing the “noise” that can make finding unexpected activity so difficult.

Anomaly Detection works on raw logs. If you already have a time-series of numerical values within which you want to detect anomalies, use the Outlier operator. For more details, see Use Cases for Anomaly Detection vs Outlier.