EnglishFrenchSpanish

Ad


OnWorks favicon

anomaly - Online in the Cloud

Run anomaly in OnWorks free hosting provider over Ubuntu Online, Fedora Online, Windows online emulator or MAC OS online emulator

This is the command anomaly that can be run in the OnWorks free hosting provider using one of our multiple free online workstations such as Ubuntu Online, Fedora Online, Windows online emulator or MAC OS online emulator

PROGRAM:

NAME


anomaly - anomalous data detection

SYNOPSIS


anomaly [-h|--help] [-v|--version] [-d|--details]
[-t|--threshold] [--min N] [--max N]
[-s|--stddev] [-n|--sample N] [-c|--coefficient N]
[-q|--quiet]
[-e|--execute PROGRAM]
[-p|--pid PID]

DESCRIPTION


Anomaly can detect anomalous data in a numeric stream. In order to do this, anomaly needs
to see a stream of numeric data, and apply one of its detection methods. If an anomaly is
detected, a response is made, chosen from one or more built in methods.

NUMERIC STREAM


Anomaly works best in a pipe, and will read only numeric data from its input. As a simple
example, suppose you wish to monitor load average and look for unusual spikes. The load
average can be obtained from the 'uptime' command:

$ uptime
11:40 up 15 days, 4:04, 6 users, load averages: 0.38 0.32 0.32

We can extract the 5-minute load (the second of the three numbers) using this:

$ uptime | cut -f 13 -d ' '
0.29

That number can be extracted once a minute, using this:

$ while [ 1 ]; do uptime | cut -f 13 -d ' '; sleep 60; done
0.29
0.26
0.19

That is the kind of data stream that anomaly monitors. White space (spaces, tabs,
newlines) between the numbers are ignored, so we can simulate the above stream like this:

$ echo 0.29 0.26 0.19

This is a convenient way to demonstrate anomaly, shown below.

DETECTION - THRESHOLD


The simplest detection method is threshold, which compares the data to an absolute value.
This method can use a minimum and a maximum value for comparison. These alternatives are
all valid, and make use of --min, --max or both:

anomaly --threshold --min 1.22 --max 9.75
anomaly --threshold --min 1.22
anomaly --threshold --max 9.75

In the following example, the values '1' and '10' would be detected as anomalies:

$ echo 2 1 3 6 10 5 | anomaly --threshold --min 1.5 --max 8
Anomalous data detected. The value 1 is below the minimum of 1.5.
Anomalous data detected. The value 10 is above the maximum of 8.

DETECTION - STANDARD DEVIATION


Standard deviation measures differences from the mean value of a sample of data, and is
useful for detecting extraordinary values. The sample size can be chosen such that there
is enough data to determine a good mean value, but defaults to 10. The limited sample
size means that a rolling window of data is used, and therefore the mean and standard
deviation is updated for the current window. This makes the monitoring somewhat adaptive.
Here is an example:

anomaly --stddev --sample 20

This uses a sample size of the 20 most recent values, and will detect any values that are
+/- 1 standard deviation from the mean. An example:

$ echo 1 2 3 4 5 6 | anomaly --stddev --sample 5
Anomalous data detected. The value 6 is more than 1 sigma(s) above the mean value
3, with a sample size of 5.

With a sample size of 5, comparisons being only after the 6th value is seen. In the
example, the mean value of [1 2 3 4 5] is 3, and the standard deviation is 1.58. This
means that the 6th value is considered an anomaly if it is within the range (3 +/- 1.58),
which is between 1.42 and 4.58.

To make this less sensitive, a coefficient is introduced, which defaults to 1.0 (as above)
but can be overridden:

$ echo 1 2 3 4 5 6 | anomaly --stddev --sample 5 --coefficient 1.9
$

In this example, the 6th value is not considered an anomaly because it is within the range
(3 +/- (1.9 * 1.58)), which is between -0.002 and 6.002.

RESPONSE - MESSAGE


The message response is the default, and consists of a single line of printed text. It is
a description of why the data value is considered an anomaly. Here is an example:

$ echo 1 2 3 | anomaly --threshold --max 2.5
Anomalous data detected. The value 3 is above the maximum of 2.5.

The message can be suppressed, but another response must be specified, so that there is
some kind of response:

$ echo 1 2 3 | anomaly --threshold --max 2.5 --quiet ...

RESPONSE - EXECUTE


Anomaly can execute a program in response to detection. Here an example uses the 'date'
command, but any program can be used:

$ echo 1 2 3 | anomaly --threshold --max 2.5 --quiet --execute '/bin/date +%s'
1361727327

RESPONSE - SIGNAL


Anomaly can send a USR1 signal to a program in response to detection:

$ echo 1 2 3 | anomaly --threshold --max 2.5 --quiet --pid 12345

This sends the USR1 signal to the process with PID 12345. The receiving program would
need to respond accordingly.

CREDITS & COPYRIGHTS


Copyright (C) 2013 Göteborg Bit Factory.

Anomaly is distributed under the MIT license. See http://www.opensource.org/licenses/mit-
license.php for more information.

Use anomaly online using onworks.net services


Free Servers & Workstations

Download Windows & Linux apps

Linux commands

Ad