Outlier Detection
Kloudfuse uses he Outliers function to highlight outlier time series.
DBSCAN
Kloudfuse provides the DBSCAN implementation of outlier detection.
Visualization
The chart displays the results of DBSCAN outlier detection, applied to the selected log metric over time.
-
Solid Lines represent data series flagged as outliers. These indicate instances where the data behavior deviates significantly from the norm, based on the defined tolerance.
-
Dotted Lines represent data series identified as non-outliers, because they exhibit expected behavior relative to their peers.
Search
Use the Search time series option (below the graph) to select and plot the relevant information. For example, you ccan search for tect outlier:true to paint only the series that have outlier data.
As with all linear plots, you can select and deselect lines usng the Label legend.
Parameters
- Tolerance
-
In DBSCAN, the tolerance level, or
eps, determines the clustering radius of the neighborhood around each point. Theepscontrols the sensitivity of outlier detection. A lower tolerance detects more subtle outliers, while a higher tolerance detects only the most significant deviations.
Example with Tolerance 0.8
The choice of tolerance value in this example makes the detection process highly sensitive to deviations. The algorithm detects and reports even small deviations from the normal pattern.
- Query Builder
-
all logs
@*:sourceIPAddress
1mcbrtoutliersDBSCAN5
- Advanced Search
-
* | timeslice 60s | count by (_timeslice, @sourceIPAddress) | cbrt(_count) as _cbrt | outlier (_cbrt) by 60s, model=dbscan, eps=0.8
Example with Tolerance 5
The higher tolerance setting is appropriate when you want to capture large deviations, and are not concerned with smaller fluctuations in the data.
- Query Builder
-
all logs @*:sourceIPAddress 1mcbrtoutliersDBSCAN5
- Advanced Search
-
* | timeslice 60s | count by (_timeslice, @sourceIPAddress) | cbrt(_count) as _cbrt | outlier (_cbrt) by 60s, model=dbscan, eps=5
