Sum Functions

Detect anomalies where the sum of a field in a bucket is anomalous. Use high sided functions if you wish to monitor unusually high totals. Use low sided functions if wish to look at drops in totals.

Use non_null_sum functions if your data is sparse; buckets without values will be be ignored whilst buckets with a zero value will be analyzed.

  • sum, high_sum, low_sum
  • non_null_sum, high_non_null_sum, low_non_null_sum

Note

Input data may contain pre-calculated fields giving the total count of some value e.g. transactions per minute. Please ensure you are familiar with our advice on Summarization of Input Data, as this is likely to provide a more appropriate method to using the sum function.

sum

Detect anomalies where the sum of a field in a bucket is anomalous. Use high sided functions if you wish to monitor unusually high totals. Use low sided functions if wish to look at drops in totals.

  • fieldName: required
  • byFieldName: optional
  • overFieldName: optional

Example 1

{ "function" : "high_sum", "fieldName" : "cs_bytes", "overFieldName" : "cs_host" }
  • Models total cs_bytes
  • Detects cs_hosts that transfer unusually high volumes compared to other cs_hosts

Look for volumes of data transferred from a client out to a server on the internet that are unusual compared to other clients. This could be useful to detect data exfiltration or to find users abusing internet privileges.

Example 2

{ "function" : "sum", "fieldName" : "expenses", "byFieldName" : "costcenter", "overFieldName" : "employee" }
  • Models total expenses for each costcenter
  • Detects when an employee’s expenses are unusual for a costcenter compared to other employees

For this cost center expenses analysis, alerts will also be raised when many employees are anomalous in the same bucket time.

non_null_sum

Use non_null_sum functions if your data is sparse; buckets without values will be be ignored whilst buckets with a zero value will be analyzed. Use high sided functions if you wish to monitor unusually high totals. Use low sided functions if wish to look at drops in totals. Population analysis (i.e using an over-field) is not applicable for non_null_ functions.

  • fieldName: required
  • byFieldName: optional
  • overFieldName: N/A

Example 1

{ "function" : "high_non_null_sum", "fieldName" : "amount_approved", "byFieldName" : "employee" }
  • Models total approved_amounts for each employee
  • Ignores any buckets where the amount is null
  • Detects employees who approve unusually high amounts compared to their past behavior

For this credit control system analysis, using non_null_sum will ignore periods where the employees are not active on the system.