Order of Influencers in anomaly timeline overview?

willemdh · May 9, 2020, 7:59pm

Hello,

When I create an ml job, for example high_count by source.address with high cardinality influencers, for example on user.name. So I get a huge list of anomalies, but I can maximally show 50 in the anomaly timeline in the anomaly explorer. Are those 50 the ones with highest anomaly scores? Why do I find on the top of the list user names which seem to have 'less' anomalies then others more at the end of the list? How are the influencers ordered?

Most interesting for me are the ones with high actual values. Is there a way to only show the top 50 with the highest actual value in the anomaly explorer?

Grtz

Willem

richcollier · May 10, 2020, 11:02am

Take a look at this blog which describes how the scoring works and what the grid of influencers is telling you.

In a nutshell, it tells you which entities are the most unusual over the time-range you select. The most unusual bubble to the top of the grid

willemdh · May 10, 2020, 4:58pm

Thanks for the link. That clarifies somewhat.

system · June 7, 2020, 4:58pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.