Anomaly detection: Why is this not an anomaly?


I couldn’t find a category for AD or plugins in general, so posting here instead.
Small disclaimer: This is using ES OSS with latest OpenDistro plugins.

I started my testing detector almost a month ago, so I have some decent data.
It’s easier if I just show you:

I’m confused as to why the fluctuations on January 12, 22-26 and 31 are not considered anomalous.

The detector monitors syslog messages from network equipment and the feature looks at BFD Link Down events. It has a 10 minute interval and 1 minute window delay. Window size is 2.

1 Like

So this is less of a technical answer and more of a arbitrary experience point. Anomaly detection is an imprecise science that takes a bit of tuning. What may be happening here is: there may be enough anomalies that it has started to detect them as normal now. I am not an expert in this space but that is what I experienced with another Random Cut Forest (RCF) model I tried to deploy.

Curious to hear other peoples thoughts. Also, one thing that you may want to try is messing with the confidence intervals and bucketing.

I think this might be a matter of the anomaly confidence at the time. In the screenshot, the confidence never raises above .67, which probably makes the algorithm less likely to feel that something is anomalous.

Here’s another something to take into consideration - before that first anomaly it does look like your confidence interval was close to 1.0, but then there was an anomaly and it dropped down to about .5. This is another good indicator that the algorithm is still collecting enough data to notice long term patterns. How long has the detector been running?