Anomaly Detections deviation calculations
Discover computes standard deviations, which are used to populate Anomaly Detections. At a global level, you can configure the days over which Anomaly Detections are calculated. In either mode, Hourly and Daily Anomaly Detections are available. You can configure consecutive days or same day calculations. Consecutive Days mode is useful for monitoring variation of recent activity. For a longer term perspective, Same Days may be a better choice. Discover administrators can configure the calculation mode through thePortal Management page. Switching between Anomaly Detection Calculation Modes results in the clearing of the old data from the database. When the mode is changed, data can be back-populated where possible. Avoid changing modes frequently.
Consecutive Days
When Anomaly Detections are computed over consecutive days, the data set includes the focus day and all days preceding it that have not been trimmed. In this table, F indicates the focus day, and SD indicates the data required to calculate the standard deviation for a 7 consecutive-day Anomaly Detection calculation. The Anomaly Detection calculation requires 8 days of data.
| Sun | Mon | Tue | Wed | Thu | Fri | Sat |
|---|---|---|---|---|---|---|
| SD | SD | SD | SD | SD | SD | |
| SD | F |
When Anomaly Detections are calculated in Consecutive Days mode, you can see data within a few days, instead of waiting four weeks to see a valid data set in the Same Days mode.
Same Days
In Same Days mode, anomaly detections are calculated based on the values for the same hour or day from the preceding weeks. For example, deviation values for Wednesday are computed using data from the previous Wednesday. In this table, F indicates the focus data, and SD indicates the data that is used to calculate the standard deviation for the 4 same-day Anomaly Detection calculation. The Anomaly Detection calculation requires 5 weeks of data.
| Sun | Mon | Tue | Wed | Thu | Fri | Sat |
|---|---|---|---|---|---|---|
| SD | ||||||
| SD | ||||||
| SD | ||||||
| SD | ||||||
| F |
Depending on how much data is available, Same Days mode computes Anomaly Detections over the preceding 4 to 16 weeks of data. If insufficient data is available to complete the minimum number, no data is displayed for the Anomaly Detection in the report.
Rolling window
To complete calculation of an Anomaly, this table indicates the default required number of data points for the calculation:
| Calculation Mode | Default Minimum Number of Data Points | Default Maximum Number of Data Points |
|---|---|---|
| Consecutive Days | 4 days | 16 days |
| Same Days | 4 weeks | 16 weeks |
Calculations are made by looking backward from the current date to the date indicated by the Maximum Number of Data Points.
- To complete a valid calculation, the Minimum Number of Data Points must be present. If the minimum number of data points is present, then the standard deviation and average calculations can be completed.
- For event-based Anomalies, the count of data points does not include any tabulations for null values, which can occur during periods when the event was inactive or data was not available.
- For ratio-based Anomaliess, the count of data points does include any tabulations during periods when the event was inactive or data was not available. The standard deviation and average calculations ignore the null value data point.
Configuring the data volume of the rolling window
The minimum number and maximum number of days of data that is required for a valid Anomaly Detection calculation are defined by parameter:
Anomaly Detections - Minimum data points for calculationsAnomaly Detections - Maximum data points for calculations