Anomaly detection is enabled by default for all customers. Only a SysAdmin can enable or disable Anomaly detection from the Company Settings page.
With anomaly detection enabled, your organization is permitted to analyze up to 20 metrics daily. Of those 20 metrics, you can enable five to be analyzed hourly. When enabled, you can choose the 20 metrics you want. Using anomaly detection can incur additional workload for the system.
An "anomaly" is a deviation from what is standard, normal, or expected. Anomalies can be categorized by type as follows:
- Point anomalies
A single instance of data is set apart from the rest. For example, if credit card customer's monthly purchases are historically at 250 dollars, a transaction of 3500.00 would be anomalous and might be signal fraudulent activity.
- Contextual anomalies
Most common in time-series data, a contextual anomaly is "context specific". For example, 100 gift card purchases a day during the holiday season is normal, but may be unusual otherwise.
- Collective anomalies
A set of data instances collectively assisting in detecting anomalies. One of your users copying data from a remote machine to a local host unexpectedly, might be flagged as a potential attack on your network.
An "anomaly" is a deviation from what is standard, normal, or expected. Anomaly detection identifies atypical patterns in data. These unusual patterns are sometimes referred to as "outliers".
You can specify the report metrics to be monitored by anomaly detection. For the metrics specified, anomaly detection takes the following action:
- Loads historical data.
- Calculates the model and anomaly points.
- Ranks the contributing factors.
- Presents the information visually in a separate anomaly detection data view in the report.
Let’s say that you have a report that tracks successful checkouts. You want to know when the number of checkouts deviates from the norm, so you select the checkout metric for anomaly detection. Anomaly detection monitors the metric against historical data, calculating and quantifying deviations in the metric. A trend is detected in which the typical number of successful checkouts over the weekend is 15% less than on weekdays. An anomaly is then detected when the checkout suddenly drops even further. Anomaly detection flags the anomaly in the report and ranks the factors that contribute to the drop in successful checkouts.
For newly created events and metrics, anomaly detection provides results after 14 full days of data collection. If you enable anomaly detection on events that existed for more than 14 days, the analysis should be available in ten to thirty minutes. After the initial calculations, anomaly detection is updated only once each day. Also, the missing value within the data should not be larger than 50%.
In some scenarios, for example when a single metric with many anomaly points and with metric dimensions that have many distinct values, anomaly detection can take longer than 30 minutes to display data.
Anomaly detection recalculates when you change contributing factors, or when you enable anomaly detection on a different metric. Also, if you remove metric on which anomaly detection runs, delete a report, or delete a workspace, old anomaly detection data is removed.
Practical uses for anomaly detection
Anomaly detection can be used for the following business cases:
- Traffic dropped or spiked: Detect unusual changes to the normal levels of traffic, which might not be steady over the year. Anomaly detection can determine what is the normal traffic pattern and flag an anomaly when traffic deviates from that norm.
- Transactions or revenue dropped: Anomaly detection can determine what is the normal pattern for transactions or revenue and flag an anomaly when they drop below that norm.
- Traffic from social media increased or decreased: Marketers can be alerted if there is a sudden change in the social media traffic pattern. This change might be caused by their tweet going viral or their campaign on Facebook being penalized for using too much text.
- Traffic from organic search increased or decreased: For SEO, if the amount of traffic from search engines drops, it might be a sign that there were changes in the ranking algorithms. The website might need to be updated to reeve a better rank in the current evaluation criteria.
You can find specific sessions where anomalies occurred by looking at a report that contains an anomaly, then:
- Click on the anomaly > View contributing factors.
- From the Metrics table > Action column, click Suggestions > Search aggregated sessions to see the session list with the event that caused the anomaly.
- When looking at the session list, select a session and in the Raw Data tab, there is a green dot on the parts of the session that meet the anomaly criteria so you can view the exact point in the session the anomaly occurred.
Anomaly detection calculation over time
For example, there was a launch of an iOS app in August that created a large spike in iOS traffic. That traffic spike was correlated to the anomaly (increase) in the overall session count. In September, an Android app was launched, creating its own spike in traffic. Is that presented separately for each anomaly?
For the launch of the iOS app, the top contributing item for the "Session Count" metric is the "Platform" dimension with a value of "iOS". The second contributing item is the "platform" dimension with a value of "Android". However, if you set "revenue" as the metric, the "Session Count" metric has "Platform" dimension with the value of "iOS" as the first contributor and "Android" as second contributor.
Anomaly detection holiday list
Anomaly detection comes with a default list of holidays that the Administrator can download from the Company Settings page.
The administrator can customize the contents of
AnomalyHoliday_Default.csv so that it lists and uses holidays that are specific to your organization.
Holidays represent a type of contextual anomaly associated with time-based data. For example, a 20 percent spike in gift certificate purchases is normal on Black Friday, but unusual outside of that day.