I would like to know what is the difference between “count”, “low count”, and “high count”.
I assume that “count” function includes the results from “low count”, "high count" and more ever. Please correct me if I’m wrong.
If it's true, can you please make an example or express some of results from "count" that are not from "low count" nor "high count"?
count detector function finds anomalous deviations in the rate of documents/events on both the "high side" and the "low side" (i.e. spikes and dips) - whereas the one-sided functions of
high_count only find anomalies on the low side and the high side, respectively.
As an example, you might pick
low_count as an appropriate detector to track online orders per unit time because you only might want to know if your orders are less than expected (as having orders be higher than expected is likely a "good" thing). Alternatively, if you're looking for DDOS activity, then only looking for anomalies on the high side makes sense, thus an appropriate use of
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.