Skip to main content
Sumo Logic

Use Cases for Anomaly Detection vs Outlier

Example Log Messages

The following log messages are examples that would work well with Anomaly Detection, containing repeated structure:

$DATE %PIX-6-*: access-list outside_access_in denied tcp outside/*(*) -> inside/*(*)

or:

$DATE StockTraderWebApplicationServiceClient.sell INFO: Stock Ticker Update Successful.

This next example is unstructured. If your messages are similar, use the Outlier operator to find anomalies.

169.107.162.237 - - [Wed May 13 20:05:36 UTC 2015] 
"GET /_includes/wp/blog/wp-content/plugins/us/31063765-bpfull.phpi?&w=50&id=6&random=1331063765 HTTP/1.1" 
200 6677 "http://search.yahoo.com/mobile/s?rew...0logs&pintl=en" "Mozilla/5.0 
(iPhone; U; CPU iPhone OS 4_1 like Mac OS X; en-us) AppleWebKit/532.9 (KHTML, like Gecko) 
Version/4.0.5 Mobile/8B5097d Safari/6531.22.7"

Outlier Query Examples

Using the Outlier operator to determine anomalies can be more flexible, but requires more effort. You can use any query that transforms logs into a time-series, for example:

Parsing out a numerical field.

Use the following query to parse out a numerical field.

... | parse "latency=*," as latency
| timeslice 5m
| avg(latency) by _timeslice
| outlier _avg

Counting logs.

You can use the following query to count logs.f

"transaction processed"
| timeslice 5m
| count by _timeslice
| outlier _count

For more information, see Outlier operator.