The following content pack is available for use with a Graylog Illuminate license and Graylog Enterprise or Graylog Security. Contact sales to learn more about obtaining Illuminate.

All anomaly event messages generated by Graylog's anomaly detection tool have common fields and additional, detector-specific fields, depending on which detector the messages originate from. These anomaly fields are described in the anomaly detectors index depending on which detectors are enabled. The common message fields that are populated in all anomaly event messages are described in the following index.

Common Fields

Field Name Values Notes Example
anomaly_approximate_start_time Timestamp The approximate time when the anomaly happened. If customers are using OpenSearch 1.2 or later, this value comes directly from OpenSearch. On OpenSearch 1.1, this will be the halfway point between anomaly_data_start_time and anomaly_data_end_time. 2022-03-09 15:23:28
anomaly_confidence Numeric 0.00 - 1.00 The probability of the accuracy of the anomaly_score. The closer this number is to 1, the higher the accuracy. 0.5
anomaly_data_end_time Timestamp The end of the detection range of the aggregated data. 2022-03-09 15:25:28
anomaly_data_start_time Timestamp The start of the detection range of the aggregated data. 2022-03-09 15:21:20
anomaly_detector_id String The unique id of the anomaly detector. Non-human-readable and really only useful if someone is trying to use the OpenSearch APIs directly. xBcAin8BhVrcFRn8vhUX
anomaly_detector_name String The name of the anomaly detector. These names are controlled by Graylog and is a limited and well-defined set. windows_brute_force_logon
anomaly_execution_end_time Timestamp The actual end time of the detector for a specific run that produces the anomaly result. 2022-03-09 15:26:28
anomaly_execution_start_time Timestamp The actual start time of the detector for a specific run that produces the anomaly result. 2022-03-09 15:23:28
anomaly_feature_name String Name of the field or fields that the anomaly detection engine was analyzing for anomalous values (may not be useful for users). anomdet_windows_logon_failed
anomaly_grade Numeric 0.00 - 1.00 Number between 0 and 1 that indicates how anomalous a data point is. An anomaly grade of 0 represents “not an anomaly,” and a non-zero value represents the relative severity of the anomaly. This is a normalized version of anomaly_score. 0.5
anomaly_score Numeric Indicates relative severity of an anomaly. The higher the score, the more anomalous a data point is. 3.875
event_source_product String Identifies anomaly msgs for identification and pipeline routing purposes. (Same value as field source) cell
message String Standard message field in all Graylog messages. Default format is [<detector_name>] Anomaly - - <anomaly_score> graylog_anomaly
source String Standard source field in all Graylog messages. Will always be set to graylog_anomaly. (Same value as event_source_product.) graylog_anomaly
timestamp Timestamp Standard timestamp field in all Graylog messages. Will be set to the time when Graylog pulled the anomaly data from OpenSearch, not directly related to when the anomaly happened. 2022-03-09 15:31:52