This is the command anomaly that can be run in the OnWorks free hosting provider using one of our multiple free online workstations such as Ubuntu Online, Fedora Online, Windows online emulator or MAC OS online emulator
PROGRAM:
NAME
anomaly - anomalous data detection
SYNOPSIS
anomaly [-h|--help] [-v|--version] [-d|--details]
[-t|--threshold] [--min N] [--max N]
[-s|--stddev] [-n|--sample N] [-c|--coefficient N]
[-q|--quiet]
[-e|--execute PROGRAM]
[-p|--pid PID]
DESCRIPTION
Anomaly can detect anomalous data in a numeric stream. In order to do this, anomaly needs
to see a stream of numeric data, and apply one of its detection methods. If an anomaly is
detected, a response is made, chosen from one or more built in methods.
NUMERIC STREAM
Anomaly works best in a pipe, and will read only numeric data from its input. As a simple
example, suppose you wish to monitor load average and look for unusual spikes. The load
average can be obtained from the 'uptime' command:
$ uptime
11:40 up 15 days, 4:04, 6 users, load averages: 0.38 0.32 0.32
We can extract the 5-minute load (the second of the three numbers) using this:
$ uptime | cut -f 13 -d ' '
0.29
That number can be extracted once a minute, using this:
$ while [ 1 ]; do uptime | cut -f 13 -d ' '; sleep 60; done
0.29
0.26
0.19
That is the kind of data stream that anomaly monitors. White space (spaces, tabs,
newlines) between the numbers are ignored, so we can simulate the above stream like this:
$ echo 0.29 0.26 0.19
This is a convenient way to demonstrate anomaly, shown below.
DETECTION - THRESHOLD
The simplest detection method is threshold, which compares the data to an absolute value.
This method can use a minimum and a maximum value for comparison. These alternatives are
all valid, and make use of --min, --max or both:
anomaly --threshold --min 1.22 --max 9.75
anomaly --threshold --min 1.22
anomaly --threshold --max 9.75
In the following example, the values '1' and '10' would be detected as anomalies:
$ echo 2 1 3 6 10 5 | anomaly --threshold --min 1.5 --max 8
Anomalous data detected. The value 1 is below the minimum of 1.5.
Anomalous data detected. The value 10 is above the maximum of 8.
DETECTION - STANDARD DEVIATION
Standard deviation measures differences from the mean value of a sample of data, and is
useful for detecting extraordinary values. The sample size can be chosen such that there
is enough data to determine a good mean value, but defaults to 10. The limited sample
size means that a rolling window of data is used, and therefore the mean and standard
deviation is updated for the current window. This makes the monitoring somewhat adaptive.
Here is an example:
anomaly --stddev --sample 20
This uses a sample size of the 20 most recent values, and will detect any values that are
+/- 1 standard deviation from the mean. An example:
$ echo 1 2 3 4 5 6 | anomaly --stddev --sample 5
Anomalous data detected. The value 6 is more than 1 sigma(s) above the mean value
3, with a sample size of 5.
With a sample size of 5, comparisons being only after the 6th value is seen. In the
example, the mean value of [1 2 3 4 5] is 3, and the standard deviation is 1.58. This
means that the 6th value is considered an anomaly if it is within the range (3 +/- 1.58),
which is between 1.42 and 4.58.
To make this less sensitive, a coefficient is introduced, which defaults to 1.0 (as above)
but can be overridden:
$ echo 1 2 3 4 5 6 | anomaly --stddev --sample 5 --coefficient 1.9
$
In this example, the 6th value is not considered an anomaly because it is within the range
(3 +/- (1.9 * 1.58)), which is between -0.002 and 6.002.
RESPONSE - MESSAGE
The message response is the default, and consists of a single line of printed text. It is
a description of why the data value is considered an anomaly. Here is an example:
$ echo 1 2 3 | anomaly --threshold --max 2.5
Anomalous data detected. The value 3 is above the maximum of 2.5.
The message can be suppressed, but another response must be specified, so that there is
some kind of response:
$ echo 1 2 3 | anomaly --threshold --max 2.5 --quiet ...
RESPONSE - EXECUTE
Anomaly can execute a program in response to detection. Here an example uses the 'date'
command, but any program can be used:
$ echo 1 2 3 | anomaly --threshold --max 2.5 --quiet --execute '/bin/date +%s'
1361727327
RESPONSE - SIGNAL
Anomaly can send a USR1 signal to a program in response to detection:
$ echo 1 2 3 | anomaly --threshold --max 2.5 --quiet --pid 12345
This sends the USR1 signal to the process with PID 12345. The receiving program would
need to respond accordingly.
CREDITS & COPYRIGHTS
Copyright (C) 2013 Göteborg Bit Factory.
Anomaly is distributed under the MIT license. See http://www.opensource.org/licenses/mit-
license.php for more information.
Use anomaly online using onworks.net services
