Outputs
This section summarizes the mathematical outputs across all related methods of TIM Anomaly Detection with a kpi-driven approach.
CSV result (table)
There are two differently structured result tables; the one that is returned is based on the type of anomaly detection job.
build-model, rebuild-model, detect and what-if jobs
The first table below gives an overview of the output to expect of the tabular response (csv output) for anomaly detection jobs of type build-model, rebuild-model, detect and what-if:
| timestamp | model_index | kpi | normal_behavior | anomaly_code | anomalyindicator"name of Detection Perspective" |
|---|---|---|---|---|---|
| 2020-10-12T03:00:00.0 | 4 | 70115.16 | 71277.24 | 0 | 0.31 |
| 2020-10-12T04:00:00.0 | 5 | 83422.47 | 83687.43 | 0 | 0.45 |
| 2020-10-12T05:00:00.0 | 6 | 85931.01 | 92960.32 | 0 | 0.72 |
| 2020-10-12T06:00:00.0 | 7 | 91858.28 | 90857.38 | 1 | 1.23 |
| 2020-10-12T07:00:00.0 | 8 | 94156.52 | 91852.39 | 0 | 0.33 |
| 2020-10-12T08:00:00.0 | 9 | 94503.08 | 93413.58 | 0 | 0.56 |
Timestamp
The timestamp column represents the timestamp that corresponds to the given row of outputs.
Model index
The model_index column represents the index of the model that was used for the normal behavior evaluation of the KPI. The number of possible model indices depends on the configuration of the daily cycle parameter.
KPI
The kpi column shows the actual value of the selected KPI column for anomaly detection.
Normal behavior
Each row of the normal-behavior column contains a real number returned from the normal behavior model evaluation for a given data point. This number describes how the KPI is expected to behave under the circumstances given by the influencers.
Anomaly code
The anomaly_code column contains integer values from 0 to 3 indicating whether there is an anomaly in the KPI for a given timestamp. The returned value is evaluated based on all anomaly indicators (corresponding to the determined detection perspectives).
In case the anomaly indicators for all detection perspectives were calculated, the anomaly code is 1 in case at least one anomaly indicator is above 1, and 0 otherwise. In case the anomaly indicator for at least one detection perspective was not calculated, the anomaly code is 3 in case at least one of anomaly indicator is above 1, and 2 otherwise.
Anomaly indicators
For each of the included detection perspectives, a column is included for the corresponding anomaly indicator. These columns contain numbers from the interval (0, infinity) that specify the extent to which a given data point in time is anomalous. Data points with an anomaly indicator higher than 1 are considered anomalous. See the anomaly indicator section to learn more.
RCA jobs
The table presented below provides an overview of the expected output in tabular form (CSV output) for anomaly detection jobs of type RCA:
| timestamp | term_1 | term_2 | term_3 | … | term_N | yhat_1 | yhat_2 | yhat_3 | … | yhat_N | predictor_1 | predictor_2 | predictor_3 | … | predictor_N |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2014-10-25T04:00:00.0 | 2546 | 900 | 943.05 | … | 624 | 1943 | 1984 | 1987 | … | 3296 | 1443 | 1984 | 1287 | … | 1396 |
| 2014-10-26T04:00:00.0 | 2451 | 5000 | 5409.6 | … | 234 | 2195 | 2104 | 2089 | … | 3123 | 2943 | 1584 | 2987 | … | 1496 |
| 2014-10-27T04:00:00.0 | 2103 | 200 | 65363.4 | … | 123 | 2211 | 2190 | 2168 | … | 2762 | 2142 | 1984 | 2987 | … | 996 |
| 2014-10-28T04:00:00.0 | 2301 | 100 | 543.5 | … | 545 | 2189 | 2154 | 2167 | … | 4153 | 643 | 1984 | 1987 | … | 1996 |
| 2014-10-29T04:00:00.0 | 2225 | 432 | 983 | … | 321 | 2567 | 2592 | 2598 | … | 3112 | 1143 | 1484 | 1987 | … | 1996 |
| 2014-10-30T04:00:00.0 | 2155 | 4355 | 1235.6 | … | 134 | 2532 | 2490 | 2487 | … | 4123 | 4943 | 1984 | 1987 | … | 1996 |
Root cause analysis (RCA)
The root cause analysis (RCA) result provides additional information on the contributions of terms and predictors within the scope of the normal behavior model. The sum of contributions across terms is equal to the sum across predictors, although it represents a different perspective on examining these contributions. By considering both the term and predictor contributions, a more comprehensive understanding of the factors influencing the normal behavior estimation can be obtained during the root cause analysis process. See the root cause analysis section to learn more.
Model result
A model result consists of three parts: settings, normalBehaviorModel and anomalousBehaviorModel. The table below shows the availability of the model result in the anomaly detection methods:
| Configuration field | build-model | rebuild-model | detect | rca |
|---|---|---|---|---|
| model | ☑ | ☑ | ☐ | ☐ |
☑ available in a given method
☐ not available in a given method
Anomaly detection jobs of type build-model and rebuild-model produce a model, while anomaly detection jobs of type detect and rca make use of the model of their parent job.
Sensitivity
One of the parameters contained in the model is the sensitivity parameter that was used to build the model. If a concrete input sensitivity parameter is specified, then the output sensitivity will represent this same value. If, however, only the maximum sensitivity and/or minimum sensitivity parameters are specified, TIM determines the sensitivity automatically and the result of this calculation is returned. The returned sensitivity can be found in the anomalous behavior part of the model, under detectedSensitivity, as shown below. It is always linked to a specific detection perspective.
"model": {
"anomalousBehaviorModel": {
"submodels": [
{
"perspective": "Residual",
"detectedSensitivity": 0.35
}
]
}
}
Error measures result
A performance metrics result consists of two parts: AUC and confusionMatrix. The table below shows the availability of this result based on the type of job:
| Configuration field | build-model | rebuild-model | detect | rca |
|---|---|---|---|---|
| errorMeasures | ☑ | ☑ | ☑ | ☐ |
☑ available in a given method, but only if an anomaly label is defined in the relevant job
☐ not available in a given method
Anomaly detection jobs of type build-model, rebuild-model and detect can produce error measures, but only in case an anomaly label is available in the data and was defined in the registration body of the job (build-model) or a parent job of the job (rebuild-model and detect). An RCA job type does not serve to measure the performance.
Example of the response:
{
"AUC": 0.9948358700639194,
"confusionMatrix": {
"truePositive": 30,
"trueNegative": 30502,
"falsePositive": 12,
"falseNegative": 200
}
}
If you want to learn more about these performance metrics, see the error measures section.