Could you please verify the mapping for the source.ip field in the data view you're running the Anomaly Detection on?
It is possible that the source.ip field in your data is mapped as text or some other non-aggregatable type. Here's a link to another Discuss issue that talks about that specific error, and ways to tackle it.