I have been trying to figure out how to use the multi metric to find anomaly in IP address. Objective is to do something like gmail login notification if IP address or device type are different.
I created sample data from CSV with logindate, userid, ipaddress. In my data, the userid is always the same and logindate is always different. Out of 15,000 records, only 1 different ipaddress.
I created anomaly detection jobs by choosing count distinct userid as the field and ipaddress as the influencer. And there is no anomaly found. I tried to switch the two as in count distinct ipaddress as field and userid as the influencer, still no anomaly found.
May i know what is the problem? My data? or the way i pick the field and influencer?