Reports are defined by the set of logs that you tell Anomaly Detection to watch by specifying a filter-style query. Queries that produce aggregate results cannot be used in an Anomaly Report. For example, the following queries can be saved as a Report:
_sourceCategory=frontend and _sourceHost=frontend-5
_sourceCategory=frontend | parse "module=*," as module | where module="service"
You can add up to 15 Reports. After you create a new report, it takes some time for Anomaly Detection to develop a baseline behavior for that report—generally around six hours. During this time, no anomalies can be detected.
Define an Anomaly Report
- On the Anomalies page, click the double-arrow to the right of the Anomaly Reports Summary, and click New.
- In the New Report dialog box, under Report Name, enter a name for the Report.
- For Query enter the query you’d like to save as a report.
- Click Save.