The anomalydetection command provides yet another means to find irregular or uncommon search results. It identifies anomalous events by computing a probability for each event and then detecting unusually small probabilities. The probability is defined as the product of the frequencies of each individual field value in the event. In the following example, we use the anomalydetection command against the website access logs bytes field and set a probability threshold of 0.03 that must be met:
index=main sourcetype=access_combined | anomalydetection action=filter pthresh=0.03 bytes
The results that are returned will be those that the anomalydetection command deems to be anomalous.
The anomalydetection command includes ...