Outlier Detection

Kloudfuse uses the Outliers function to highlight outlier time series.

DBSCAN

Kloudfuse provides the DBSCAN implementation of outlier detection.

Visualization

The chart displays the results of DBSCAN outlier detection, applied to the selected log metric over time.

  • Solid Lines represent data series flagged as outliers. These indicate instances where the data behavior deviates significantly from the norm, based on the defined tolerance.

  • Dotted Lines represent data series identified as non-outliers, because they exhibit expected behavior relative to their peers.

Use the Search time series option (below the graph) to select and plot the relevant information. For example, you ccan search for tect outlier:true to paint only the series that have outlier data.

As with all linear plots, you can select and deselect lines usng the Label legend.

Parameters

Tolerance

In DBSCAN, the tolerance level, or eps, determines the clustering radius of the neighborhood around each point. The eps controls the sensitivity of outlier detection. A lower tolerance detects more subtle outliers, while a higher tolerance detects only the most significant deviations.

Examples

Tolerance of 0.8

The choice of tolerance value in this example makes the detection process highly sensitive to deviations. The algorithm detects and reports even small deviations from the normal pattern.

  • Query Builder

  • Advanced Search

show count of all logs by @*:sourceIPAddress roll up every 1m cbrt outliers DBSCAN 5

* | timeslice 60s | count by (_timeslice, @sourceIPAddress) | cbrt(_count) as _cbrt | outlier (_cbrt) by 60s, model=dbscan, eps=0.8
Outlier detection with tolerance=0.8

Tolerance of 5

The higher tolerance setting is appropriate when you want to capture large deviations, and are not concerned with smaller fluctuations in the data.

  • Query Builder

  • Advanced Search

show count of all logs by @*:sourceIPAddress roll up every 1m cbrt outliers DBSCAN 5

* | timeslice 60s | count by (_timeslice, @sourceIPAddress) | cbrt(_count) as _cbrt | outlier (_cbrt) by 60s, model=dbscan, eps=5
Outlier detection with tolerance=5