outlier

Use this command to find irregular or uncommon field values in the results.

Syntax

outlier <outlier_options> <field_name> [, <field_name>, ...] [as <new_field_name>]

Parameters

The following table lists the parameters used with this command, along with their descriptions.

Parameter Description
field_name Use this parameter to specify the field for which anomalous values must be found.
outlier_options

Syntax: [action = [annotate | filter]] [remove = [true|false]]

action: The annotate action returns the outlier flag as a field in the result. The filter action returns only the results with irregular field values. If action is not specified, then the default filter is used.

remove: Remove the results where field values are determined to be irregular. If remove is not specified, then the default false is used.

The following query finds the anomalous content size:

* | link Entity
 | stats sum('Content Size Out') as 'Content Size Out'
| outlier 'Content Size Out'
'Content Size Out' != null 
| stats sum('Content Size Out') as 'Content Size Out' by Entity
| outlier 'Content Size Out'