Sum Functions

Detect anomalies where the sum of a field in a bucket is anomalous. Use high_ sided functions if you wish to monitor unusually high totals. Use low_ sided functions if wish to look at drops in totals.

Use non_null_sum functions if your data is sparse; buckets without values will be be ignored whilst buckets with a zero value will be analyzed. Population analysis (i.e using an over field) is not applicable for non_null_sum functions.

sum [by field1] [over field2]
high_sum [by field1] [over field2]
low_sum [by field1] [over field2]

non_null_sum [by <field1>]
high_non_null_sum [by <field1>]
low_non_null_sum [by <field1>]

Note: Unless documented otherwise above, by and over fields can be applied to every function. Further configuration options are available, which are described in the Detector Configuration section:

function(field1) [by <field2>] [over <field3>] [partitionfield=<field4>] [summarycountfield=<field5>] [categorizationfield=<field6>] [excludefrequent=true] [usenull=true]

sum

Detect anomalies where the sum of a field in a bucket is anomalous.

Example 1

high_sum(cs_bytes) over cs_host
  • Models total cs_bytes
  • Detects cs_hosts that transfer unusually high volumes compared to other cs_hosts

Look for volumes of data transferred from a client out to a server on the internet that are unusual compared to other clients. This could be useful to detect data exfiltration or to find users abusing internet privileges.

Example 2

sum(expenses) by costcenter over employee
  • Models total expenses for each costcenter
  • Detects when an employee’s expenses are unusual for a costcenter compared to other employees

For this cost center expenses analysis, alerts will also be raised when many employees are anomalous close in time.

non_null_sum

Use non_null_ functions if your data is sparse; buckets without values will be be ignored whilst buckets with a zero value will be analyzed. Population analysis (i.e using an over-field) is not applicable for non_null_ functions.

Example 1

non_null_sum(approved_amount) by employee
  • Models total approved_amounts for each employee
  • Ignores any buckets where the amount is null
  • Detects employees who approve unusual amounts compared to their past behavior

For this credit control system analysis, using non_null_sum will ignore periods where the employees are not active on the system.

See also

This page

Browse

You are here