How Anomaly Detection?

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
Hi everybody.
i just started opensearch, i am setting up a lab for anomaly detection from log(syslog and *.log). but I don’t understand how it works yet. Why was it discovered? What is Expected Value? How calculated this value can be compared to the Feature output. and 2 Confidence . values
Does Anomaly grade have a formula for calculating no. Hope everybody help please. tks

Describe the issue:


Relevant Logs or Screenshots: