Skip to main content

Outputs

This section summarizes the mathematical outputs across all related methods of TIM Anomaly Detection with a kpi-driven approach.

CSV result (table)

There are two differently structured result tables; the one that is returned is based on the type of anomaly detection job.

build-model, rebuild-model, detect and what-if jobs

The first table below gives an overview of the output to expect of the tabular response (csv output) for anomaly detection jobs of type build-model, rebuild-model, detect and what-if:

timestampmodel_indexkpinormal_behavioranomaly_codeanomalyindicator"name of Detection Perspective"
2020-10-12T03:00:00.0470115.1671277.2400.31
2020-10-12T04:00:00.0583422.4783687.4300.45
2020-10-12T05:00:00.0685931.0192960.3200.72
2020-10-12T06:00:00.0791858.2890857.3811.23
2020-10-12T07:00:00.0894156.5291852.3900.33
2020-10-12T08:00:00.0994503.0893413.5800.56

Timestamp

The timestamp column represents the timestamp that corresponds to the given row of outputs.

Model index

The model_index column represents the index of the model that was used for the normal behavior evaluation of the KPI. The number of possible model indices depends on the configuration of the daily cycle parameter.

KPI

The kpi column shows the actual value of the selected KPI column for anomaly detection.

Normal behavior

Each row of the normal-behavior column contains a real number returned from the normal behavior model evaluation for a given data point. This number describes how the KPI is expected to behave under the circumstances given by the influencers.

Anomaly code

The anomaly_code column contains integer values from 0 to 3 indicating whether there is an anomaly in the KPI for a given timestamp. The returned value is evaluated based on all anomaly indicators (corresponding to the determined detection perspectives).

In case the anomaly indicators for all detection perspectives were calculated, the anomaly code is 1 in case at least one anomaly indicator is above 1, and 0 otherwise. In case the anomaly indicator for at least one detection perspective was not calculated, the anomaly code is 3 in case at least one of anomaly indicator is above 1, and 2 otherwise.

Anomaly indicators

For each of the included detection perspectives, a column is included for the corresponding anomaly indicator. These columns contain numbers from the interval (0, infinity) that specify the extent to which a given data point in time is anomalous. Data points with an anomaly indicator higher than 1 are considered anomalous. See the anomaly indicator section to learn more.

RCA jobs

The table presented below provides an overview of the expected output in tabular form (CSV output) for anomaly detection jobs of type RCA:

timestampterm_1term_2term_3term_Nyhat_1yhat_2yhat_3yhat_Npredictor_1predictor_2predictor_3predictor_N
2014-10-25T04:00:00.02546900943.0562419431984198732961443198412871396
2014-10-26T04:00:00.0245150005409.623421952104208931232943158429871496
2014-10-27T04:00:00.0210320065363.41232211219021682762214219842987996
2014-10-28T04:00:00.02301100543.55452189215421674153643198419871996
2014-10-29T04:00:00.0222543298332125672592259831121143148419871996
2014-10-30T04:00:00.0215543551235.613425322490248741234943198419871996

Root cause analysis (RCA)

The root cause analysis (RCA) result provides additional information on the contributions of terms and predictors within the scope of the normal behavior model. The sum of contributions across terms is equal to the sum across predictors, although it represents a different perspective on examining these contributions. By considering both the term and predictor contributions, a more comprehensive understanding of the factors influencing the normal behavior estimation can be obtained during the root cause analysis process. See the root cause analysis section to learn more.

Model result

A model result consists of three parts: settings, normalBehaviorModel and anomalousBehaviorModel. The table below shows the availability of the model result in the anomaly detection methods:

Configuration fieldbuild-modelrebuild-modeldetectrca
model

available in a given method
not available in a given method

Anomaly detection jobs of type build-model and rebuild-model produce a model, while anomaly detection jobs of type detect and rca make use of the model of their parent job.

Sensitivity

One of the parameters contained in the model is the sensitivity parameter that was used to build the model. If a concrete input sensitivity parameter is specified, then the output sensitivity will represent this same value. If, however, only the maximum sensitivity and/or minimum sensitivity parameters are specified, TIM determines the sensitivity automatically and the result of this calculation is returned. The returned sensitivity can be found in the anomalous behavior part of the model, under detectedSensitivity, as shown below. It is always linked to a specific detection perspective.

"model": {
"anomalousBehaviorModel": {
"submodels": [
{
"perspective": "Residual",
"detectedSensitivity": 0.35
}
]
}
}

Error measures result

A performance metrics result consists of two parts: AUC and confusionMatrix. The table below shows the availability of this result based on the type of job:

Configuration fieldbuild-modelrebuild-modeldetectrca
errorMeasures

available in a given method, but only if an anomaly label is defined in the relevant job
not available in a given method

Anomaly detection jobs of type build-model, rebuild-model and detect can produce error measures, but only in case an anomaly label is available in the data and was defined in the registration body of the job (build-model) or a parent job of the job (rebuild-model and detect). An RCA job type does not serve to measure the performance.

Example of the response:

{
"AUC": 0.9948358700639194,
"confusionMatrix": {
"truePositive": 30,
"trueNegative": 30502,
"falsePositive": 12,
"falseNegative": 200
}
}

If you want to learn more about these performance metrics, see the error measures section.