Anomaly detection

US 10,592,093 B2
Filed: 09/18/2015
Issued: 03/17/2020
Est. Priority Date: 10/09/2014
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

executing a search query over a period of time to produce values for a key performance indicator (KPI), the KPI associated with the search query that derives a value indicative of the performance of a service at a point in time or during a period of time, the value derived from machine data pertaining to one or more entities that provide the service;

causing for display a graphical user interface (GUI) comprising a first user-selectable interface element that enables a user to indicate a sensitivity setting and a second user-selectable interface element that enables the user to indicate a training window comprising an interval of time;

receiving, via the first and second user-selectable interface elements of the GUI, user input indicating the sensitivity setting and the training window;

identifying one or more of the values as anomalies based on the sensitivity setting and the training window indicated by the user input, the sensitivity setting establishing a threshold by which the one or more values are considered as the anomalies with respect to a deviation from historical values for the KPI, the historical values corresponding to the training window, wherein identifying one or more of the values as anomalies comprises comparing one of the values against a predicted value, the comparing including determining an error value and determining the position of the error value in a range of error values; and

causing for display, via an update to a graph in the GUI, information related to the values identified as anomalies to visually represent anomaly points in the graph, wherein the graph in the GUI is updated in real-time to visually represent new anomaly points corresponding to updated values identified based on received adjustments of the first and second user-selectable interface elements;

wherein the method is performed by a computer system comprising one or more processors.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques are disclosed for anomaly detection. A search query can be executed over a period of time to produce values for a key performance indicator (KPI), the search query defining the KPI and deriving a value indicative of the performance of a service at a point in time or during a period of time, the value derived from machine data pertaining to one or more entities that provide the service. A graphical user interface (GUI) enabling a user to indicate a sensitivity setting can be displayed. A user input indicating the sensitivity setting can be received via the GUI. Zero or more of the values as anomalies can be identified in consideration of the sensitivity setting indicated by the user input. A GUI including information related to the values identified as anomalies can be caused to be displayed.

89 Citations

View as Search Results

29 Claims

1. A method comprising:
- executing a search query over a period of time to produce values for a key performance indicator (KPI), the KPI associated with the search query that derives a value indicative of the performance of a service at a point in time or during a period of time, the value derived from machine data pertaining to one or more entities that provide the service;
  
  causing for display a graphical user interface (GUI) comprising a first user-selectable interface element that enables a user to indicate a sensitivity setting and a second user-selectable interface element that enables the user to indicate a training window comprising an interval of time;
  
  receiving, via the first and second user-selectable interface elements of the GUI, user input indicating the sensitivity setting and the training window;
  
  identifying one or more of the values as anomalies based on the sensitivity setting and the training window indicated by the user input, the sensitivity setting establishing a threshold by which the one or more values are considered as the anomalies with respect to a deviation from historical values for the KPI, the historical values corresponding to the training window, wherein identifying one or more of the values as anomalies comprises comparing one of the values against a predicted value, the comparing including determining an error value and determining the position of the error value in a range of error values; and
  
  causing for display, via an update to a graph in the GUI, information related to the values identified as anomalies to visually represent anomaly points in the graph, wherein the graph in the GUI is updated in real-time to visually represent new anomaly points corresponding to updated values identified based on received adjustments of the first and second user-selectable interface elements;
  
  wherein the method is performed by a computer system comprising one or more processors.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27)
- - 2. The method of claim 1, wherein the search query is repeatedly executed over the period of time.
  - 3. The method of claim 1, wherein the search query is executed one or more times over the period of time.
  - 4. The method of claim 1, wherein identifying one or more of the values as anomalies comprises comparing one of the values against a predicted value.
  - 5. The method of claim 1, wherein identifying one or more of the values as anomalies comprises comparing one of the values against a predicted value, the comparing including determining an error value.
  - 6. The method of claim 1, wherein identifying one or more of the values as anomalies comprises comparing one of the values against a predicted value, the comparing including determining an error value and determining the position of the error value in a range of error values, wherein the sensitivity setting is associated with the range.
  - 7. The method of claim 1, wherein identifying one or more of the values as anomalies comprises comparing one of the values against a predicted value, the comparing including determining an error value and determining a position of the error value in a range of error values, wherein the sensitivity setting defines a portion of the range and the position of the error value within the sensitivity setting portion of the range identifies the one of the values as an anomaly.
  - 8. The method of claim 1, wherein identifying one or more of the values as anomalies comprises comparing one of the values against a predicted value, the comparing including determining an error value and determining a position of the error value in a range of error values, wherein the sensitivity setting defines a portion of the range and the position of the error values within the sensitivity setting portion of the range identifies the one of the values as an anomaly, the portion being less than 10% at or near an end of the range.
  - 9. The method of claim 1, wherein identifying one or more of the values as anomalies comprises comparing one of the values against a predicted value, the comparing including determining an error value and determining a position of the error value in a range of error values, wherein the sensitivity setting defines a portion of the range and the position of the error values within the sensitivity setting portion of the range identifies the one of the values as an anomaly, the portion being less than 1% at or near an end of the range.
  - 10. The method of claim 1, wherein identifying one or more of the values as anomalies comprises comparing one of the values against a predicted value, the comparing including determining an error value and determining the position of the error value in a range, wherein the range is a quantile range.
  - 11. The method of claim 1, wherein identifying one or more of the values as anomalies comprises comparing one of the values against a predicted value, the comparing including determining an error value and determining the position of the error value in a range, wherein the range is a quantile range represented as a digest of error values determined over training data.
  - 12. The method of claim 1, wherein identifying one or more of the values as anomalies comprises comparing one of the values against a predicted value, the comparing including determining an error value and determining the position of the error value in a range, wherein the range is a quantile range represented as a digest of error values determined over training data, the training data comprising the historical values for the KPI.
  - 13. The method of claim 1, wherein identifying one or more of the values as anomalies comprises comparing one of the values against a predicted value, the comparing including determining an error value and determining the position of the error value in a range, wherein the range is a quantile range represented as a digest of error values determined over training data, the training data comprising the historical values for the KPI computed with respect to a plurality of entities that provide the service.
  - 14. The method of claim 1, wherein identifying one or more of the values as anomalies comprises comparing one of the values against a predicted value, the comparing including determining an error value and determining the position of the error value in a range, wherein the range is a quantile range represented as a digest of error values determined over training data, the training data comprising a plurality of simulated KPI values.
  - 15. The method of claim 1, wherein identifying one or more of the values as anomalies comprises comparing one of the values against a predicted value, the comparing including determining an error value and determining the position of the error value in a range, wherein the range is a quantile range represented as a digest of error values determined over training data, the training data comprising a plurality of example KPI values.
  - 16. The method of claim 1, wherein identifying one or more of the values as anomalies comprises comparing one of the values against a predicted value, the comparing including determining an error value and determining the position of the error value in a range, wherein the range is a quantile range represented as a digest of error values determined over training data, the training data comprising a plurality of values associated with one or more other KPIs.
  - 17. The method of claim 1, wherein identifying one or more of the values as anomalies comprises comparing one of the values against a predicted value, the predicted value based at least in part on one or more values for the KPI that immediately precede the predicted value.
  - 18. The method of claim 1, wherein identifying one or more of the values as anomalies comprises comparing one of the values against a predicted value, the predicted value based at least in part on a time series forecasting calculation and one or more values for the KPI that immediately precede the predicted value.
  - 19. The method of claim 1, wherein identifying one or more of the values as anomalies comprises comparing one of the values against a predicted value, the predicted value based at least in part on a frequency domain calculation and one or more values for the KPI that immediately precede the predicted value.
  - 20. The method of claim 1, further comprising generating a notable event for an identified anomaly.
  - 21. The method of claim 1, wherein the search query is repeatedly executed based on a frequency.
  - 22. The method of claim 1, wherein the search query is repeatedly executed based on a schedule.
  - 23. The method of claim 1, wherein causing the display of a GUI comprises adjusting the display of the graph comprising the information related to the one or more of the values identified as the anomalies based on the user input indicating the sensitivity setting.
  - 24. The method of claim 1, wherein causing the display of a GUI comprises adjusting the display of the graph comprising the information related to the one or more of the values identified as the anomalies based on the user input indicating the sensitivity setting, the user input comprising a change of a slider position.
  - 25. The method of claim 1, wherein the machine data pertaining to a particular entity is produced by the entity and by another entity.
  - 26. The method of claim 1, wherein the machine data is stored as timestamped events, each event comprising a segment of raw machine data.
  - 27. The method of claim 1, wherein the machine data is accessed according to a late-binding schema.

28. A system comprising:
- a memory; and
  
  a processing device, operatively coupled to the memory, to;
  
  execute a search query over a period of time to produce values for a key performance indicator (KPI), the KPI associated with the search query that derives a value indicative of the performance of a service at a point in time or during a period of time, the value derived from machine data pertaining to one or more entities that provide the service;
  
  cause for display a graphical user interface (GUI) comprising a first user-selectable interface element that enables a user to indicate a sensitivity setting and a second user-selectable interface element that enables the user to indicate a training window comprising an interval of time;
  
  receive, via the first and second user-selectable interface elements of the GUI, user input indicating the sensitivity setting and the training window;
  
  identify one or more of the values as anomalies based on the sensitivity setting and the training window indicated by the user input, the sensitivity setting establishing a threshold by which the one or more values are considered as the anomalies with respect to a deviation from historical values for the KPI, the historical values corresponding to the training window, wherein identifying one or more of the values as anomalies comprises comparing one of the values against a predicted value, the comparing including determining an error value and determining the position of the error value in a range of error values; and
  
  cause for display, via an update to a graph in the GUI, information related to the values identified as anomalies to visually represent anomaly points in the graph, wherein the graph in the GUI is updated in real-time to visually represent new anomaly points corresponding to updated values identified based on received adjustments of the first and second user-selectable interface elements.

29. A non-transitory computer readable medium having instructions encoded thereon that, when executed by a processing device, cause the processing device to:
- execute a search query over a period of time to produce values for a key performance indicator (KPI), the KPI associated with the search query that derives a value indicative of the performance of a service at a point in time or during a period of time, the value derived from machine data pertaining to one or more entities that provide the service;
  
  cause for display a graphical user interface (GUI) comprising a first user-selectable interface element that enables a user to indicate a sensitivity setting and a second user-selectable interface element that enables the user to indicate a training window comprising an interval of time;
  
  receive, via the first and second user-selectable interface elements of the GUI, user input indicating the sensitivity setting and the training window;
  
  identify one or more of the values as anomalies based on the sensitivity setting and the training window indicated by the user input, the sensitivity setting establishing a threshold by which the one or more values are considered as the anomalies with respect to a deviation from historical values for the KPI, the historical values corresponding to the training window, wherein identifying one or more of the values as anomalies comprises comparing one of the values against a predicted value, the comparing including determining an error value and determining the position of the error value in a range of error values; and
  
  cause for display, via an update to a graph in the GUI, information related to the values identified as anomalies to visually represent anomaly points in the graph, wherein the graph in the GUI is updated in real-time to visually represent new anomaly points corresponding to updated values identified based on received adjustments of the first and second user-selectable interface elements.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Splunk Inc.
Original Assignee
Splunk Inc.
Inventors
Sainani, Manish, Oliner, Adam Jamison, Leverich, Jacob Barton, Alekseyev, Leonid, Maheshwari, Sonal Barton
Primary Examiner(s)
Gofman, Alex

Application Number

US14/859,248
Publication Number

US 20160103838A1
Time in Patent Office

1,642 Days
Field of Search

None
US Class Current
CPC Class Codes

G06F 16/24   Querying

G06F 16/2462   Approximate or statistical ...

G06F 16/2477   Temporal data queries

G06F 3/0488   using a touch-screen or dig...

H04L 41/22   comprising specially adapte...

H04L 41/5012   determining service availab...

H04L 41/5032   Generating service level re...

H04L 41/5045   Making service definitions ...

Anomaly detection

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

89 Citations

29 Claims

Specification

Solutions

Use Cases

Quick Links

Anomaly detection

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

89 Citations

29 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links