anomaly*detecjon*on*business*items*with* … · selecon *of*catalogs* 6 1950 1957 1964 1970 1986...
TRANSCRIPT
![Page 1: Anomaly*DetecJon*On*Business*Items*With* … · Selecon *Of*Catalogs* 6 1950 1957 1964 1970 1986 1987 1991 1993 1994 1995 1995 2004 2005 2006 2009 2010](https://reader035.vdocuments.site/reader035/viewer/2022071011/5fc9a97399cea5568f20b29e/html5/thumbnails/1.jpg)
Copyright © 2016 Splunk Inc.
Andre Pietsch Product Manager Splunk, OTTO Hamburg Germany
Stefan Scholz Sr Consultant, LC Systems Munich Germany
Anomaly DetecJon On Business Items With Machine Learning Algorithms
![Page 2: Anomaly*DetecJon*On*Business*Items*With* … · Selecon *Of*Catalogs* 6 1950 1957 1964 1970 1986 1987 1991 1993 1994 1995 1995 2004 2005 2006 2009 2010](https://reader035.vdocuments.site/reader035/viewer/2022071011/5fc9a97399cea5568f20b29e/html5/thumbnails/2.jpg)
Disclaimer
2
During the course of this presentaJon, we may make forward looking statements regarding future events or the expected performance of the company. We cauJon you that such statements reflect our current expectaJons and esJmates based on factors currently known to us and that actual events or results could differ materially. For important factors that may cause actual results to differ from those contained in our forward-‐looking statements, please review our filings with the SEC. The forward-‐looking statements made in the this presentaJon are being made as of the Jme and date of its live presentaJon. If reviewed aVer its live presentaJon, this presentaJon may not contain current or
accurate informaJon. We do not assume any obligaJon to update any forward looking statements we may make. In addiJon, any informaJon about our roadmap outlines our general product direcJon and is
subject to change at any Jme without noJce. It is for informaJonal purposes only and shall not, be incorporated into any contract or other commitment. Splunk undertakes no obligaJon either to develop the features or funcJonality described or to include any such feature or funcJonality in a future release.
![Page 3: Anomaly*DetecJon*On*Business*Items*With* … · Selecon *Of*Catalogs* 6 1950 1957 1964 1970 1986 1987 1991 1993 1994 1995 1995 2004 2005 2006 2009 2010](https://reader035.vdocuments.site/reader035/viewer/2022071011/5fc9a97399cea5568f20b29e/html5/thumbnails/3.jpg)
Agenda
About OXo IT About LC Systems IniJal SituaJon Next GeneraJon Of Data AnalyJcs Results
3
![Page 4: Anomaly*DetecJon*On*Business*Items*With* … · Selecon *Of*Catalogs* 6 1950 1957 1964 1970 1986 1987 1991 1993 1994 1995 1995 2004 2005 2006 2009 2010](https://reader035.vdocuments.site/reader035/viewer/2022071011/5fc9a97399cea5568f20b29e/html5/thumbnails/4.jpg)
About OTTO
![Page 5: Anomaly*DetecJon*On*Business*Items*With* … · Selecon *Of*Catalogs* 6 1950 1957 1964 1970 1986 1987 1991 1993 1994 1995 1995 2004 2005 2006 2009 2010](https://reader035.vdocuments.site/reader035/viewer/2022071011/5fc9a97399cea5568f20b29e/html5/thumbnails/5.jpg)
History
5
Werner OXo
Founder of the company in 1949
CEO unJl 1981
Dr. Michael OXo
Chairman & CEO of OXo group unJl 2007
Chairman of OXo group supervisory board unJl today
![Page 6: Anomaly*DetecJon*On*Business*Items*With* … · Selecon *Of*Catalogs* 6 1950 1957 1964 1970 1986 1987 1991 1993 1994 1995 1995 2004 2005 2006 2009 2010](https://reader035.vdocuments.site/reader035/viewer/2022071011/5fc9a97399cea5568f20b29e/html5/thumbnails/6.jpg)
SelecJon Of Catalogs
6
1957 1964 1970 1986 1991 1950 1987 1993
1994 1995 1995 2004 2005 2006 2009 2010
![Page 7: Anomaly*DetecJon*On*Business*Items*With* … · Selecon *Of*Catalogs* 6 1950 1957 1964 1970 1986 1987 1991 1993 1994 1995 1995 2004 2005 2006 2009 2010](https://reader035.vdocuments.site/reader035/viewer/2022071011/5fc9a97399cea5568f20b29e/html5/thumbnails/7.jpg)
OTTO – Subsidiary Of The OXo Group
– Employees: 4,350
– Revenue 2.6 Billion € (2015/2016)
– 90% Online
– > 2.2 Million items
– 6,000 Brands
7
Headquarters: OTTO-‐Campus in Hamburg, Germany
![Page 8: Anomaly*DetecJon*On*Business*Items*With* … · Selecon *Of*Catalogs* 6 1950 1957 1964 1970 1986 1987 1991 1993 1994 1995 1995 2004 2005 2006 2009 2010](https://reader035.vdocuments.site/reader035/viewer/2022071011/5fc9a97399cea5568f20b29e/html5/thumbnails/8.jpg)
OTTO – Subsidiary Of The OXo Group
– #1 Furniture online Germany (before IKEA)
– #2 Germany (aVer Amazon)
– > 678,000 Facebook fans (03/2016)
– > 28,000 TwiXer followers
– 90,000 Service requests via Facebook and TwiXer (2015/2016)
8
Headquarters: OTTO-‐Campus in Hamburg, Germany
![Page 9: Anomaly*DetecJon*On*Business*Items*With* … · Selecon *Of*Catalogs* 6 1950 1957 1964 1970 1986 1987 1991 1993 1994 1995 1995 2004 2005 2006 2009 2010](https://reader035.vdocuments.site/reader035/viewer/2022071011/5fc9a97399cea5568f20b29e/html5/thumbnails/9.jpg)
9
OXo group is a globally acJve retail and retail-‐related services group with 123 major companies in more than 30 countries. 49,597 Employees (2015/2016) Revenue 12,5 Billion EUR (2015/12
OXo Group -‐ InternaJonal Success
![Page 10: Anomaly*DetecJon*On*Business*Items*With* … · Selecon *Of*Catalogs* 6 1950 1957 1964 1970 1986 1987 1991 1993 1994 1995 1995 2004 2005 2006 2009 2010](https://reader035.vdocuments.site/reader035/viewer/2022071011/5fc9a97399cea5568f20b29e/html5/thumbnails/10.jpg)
10
Mul$channel Retail Services Financial Services
E-‐Commerce, Catalogs and Over-‐The-‐Counter Retail.
Receivables, Payment Services, InformaJon and Liquidity Mangment.
Procurement, Quality Control, TransportaJon and Warehousing, Delivery to Private and Business Customers.
OXo Group -‐ Main Business Segments
![Page 11: Anomaly*DetecJon*On*Business*Items*With* … · Selecon *Of*Catalogs* 6 1950 1957 1964 1970 1986 1987 1991 1993 1994 1995 1995 2004 2005 2006 2009 2010](https://reader035.vdocuments.site/reader035/viewer/2022071011/5fc9a97399cea5568f20b29e/html5/thumbnails/11.jpg)
About LC Systems
![Page 12: Anomaly*DetecJon*On*Business*Items*With* … · Selecon *Of*Catalogs* 6 1950 1957 1964 1970 1986 1987 1991 1993 1994 1995 1995 2004 2005 2006 2009 2010](https://reader035.vdocuments.site/reader035/viewer/2022071011/5fc9a97399cea5568f20b29e/html5/thumbnails/12.jpg)
LocaJons
12
Headquarter LC Systems-Engineering AG Postfach 40, Seestrasse 24 CH-9326 Horn Office Basel Reinacherstrasse 129 CH-4053 Basel Office Berne Schwarztorstr. 9 CH-3007 Berne Office Germany LC Systems GmbH Landsberger Straße 302 D-80687 Munich www.lcsystems.ch www.lcsystems.de
![Page 13: Anomaly*DetecJon*On*Business*Items*With* … · Selecon *Of*Catalogs* 6 1950 1957 1964 1970 1986 1987 1991 1993 1994 1995 1995 2004 2005 2006 2009 2010](https://reader035.vdocuments.site/reader035/viewer/2022071011/5fc9a97399cea5568f20b29e/html5/thumbnails/13.jpg)
Together On The Road To Success (Not Conclusive)
13
Pharma Finance AutomoJve Industry
Internet Provider
Research and Development
Service Provider Trading
![Page 14: Anomaly*DetecJon*On*Business*Items*With* … · Selecon *Of*Catalogs* 6 1950 1957 1964 1970 1986 1987 1991 1993 1994 1995 1995 2004 2005 2006 2009 2010](https://reader035.vdocuments.site/reader035/viewer/2022071011/5fc9a97399cea5568f20b29e/html5/thumbnails/14.jpg)
Data AnalyJcs Using And EvaluaJng Data In The Best Possible Way
Services – ConsulJng – Workshops – Use cases – Proof of Concept – Project definiJon – Methodically structured implementaJon – OperaJon – Managed services – Training
14
![Page 15: Anomaly*DetecJon*On*Business*Items*With* … · Selecon *Of*Catalogs* 6 1950 1957 1964 1970 1986 1987 1991 1993 1994 1995 1995 2004 2005 2006 2009 2010](https://reader035.vdocuments.site/reader035/viewer/2022071011/5fc9a97399cea5568f20b29e/html5/thumbnails/15.jpg)
IniJal SituaJon
![Page 16: Anomaly*DetecJon*On*Business*Items*With* … · Selecon *Of*Catalogs* 6 1950 1957 1964 1970 1986 1987 1991 1993 1994 1995 1995 2004 2005 2006 2009 2010](https://reader035.vdocuments.site/reader035/viewer/2022071011/5fc9a97399cea5568f20b29e/html5/thumbnails/16.jpg)
The Backend – Historically Grown
![Page 17: Anomaly*DetecJon*On*Business*Items*With* … · Selecon *Of*Catalogs* 6 1950 1957 1964 1970 1986 1987 1991 1993 1994 1995 1995 2004 2005 2006 2009 2010](https://reader035.vdocuments.site/reader035/viewer/2022071011/5fc9a97399cea5568f20b29e/html5/thumbnails/17.jpg)
The Backend – Some Order Into Chaos
13 Billion events in 36 days
63 Systems per environment
4-‐5 Environments at the same Jme
200 User interfaces
1500 Interfaces
![Page 18: Anomaly*DetecJon*On*Business*Items*With* … · Selecon *Of*Catalogs* 6 1950 1957 1964 1970 1986 1987 1991 1993 1994 1995 1995 2004 2005 2006 2009 2010](https://reader035.vdocuments.site/reader035/viewer/2022071011/5fc9a97399cea5568f20b29e/html5/thumbnails/18.jpg)
18
Start with: -‐ Unqualified eventcounts
How Can I Get An Alert? | tstats prestats=t span=1h count where index="_*" OR index="*" by _Jme | Jmechart span=1h count
Qualify them to: -‐ TransacJons from payment provider -‐ Webshop requests -‐ Social media contacts
![Page 19: Anomaly*DetecJon*On*Business*Items*With* … · Selecon *Of*Catalogs* 6 1950 1957 1964 1970 1986 1987 1991 1993 1994 1995 1995 2004 2005 2006 2009 2010](https://reader035.vdocuments.site/reader035/viewer/2022071011/5fc9a97399cea5568f20b29e/html5/thumbnails/19.jpg)
19
How Can I Get An Alert? | tstats prestats=t span=1h count where index="_*" OR index="*" by _Jme | Jmechart span=1h count | eval threshold=20000000
Method of „fierce inspec$on“ -‐ Needs a lot of human resources
![Page 20: Anomaly*DetecJon*On*Business*Items*With* … · Selecon *Of*Catalogs* 6 1950 1957 1964 1970 1986 1987 1991 1993 1994 1995 1995 2004 2005 2006 2009 2010](https://reader035.vdocuments.site/reader035/viewer/2022071011/5fc9a97399cea5568f20b29e/html5/thumbnails/20.jpg)
20
And What About All The Other Peaks?
Peaking and plunging affects your business -‐ TransacJons from payment provider -‐ Webshop requests -‐ Social media contacts
![Page 21: Anomaly*DetecJon*On*Business*Items*With* … · Selecon *Of*Catalogs* 6 1950 1957 1964 1970 1986 1987 1991 1993 1994 1995 1995 2004 2005 2006 2009 2010](https://reader035.vdocuments.site/reader035/viewer/2022071011/5fc9a97399cea5568f20b29e/html5/thumbnails/21.jpg)
Next GeneraJon Of Data AnalyJcs
![Page 22: Anomaly*DetecJon*On*Business*Items*With* … · Selecon *Of*Catalogs* 6 1950 1957 1964 1970 1986 1987 1991 1993 1994 1995 1995 2004 2005 2006 2009 2010](https://reader035.vdocuments.site/reader035/viewer/2022071011/5fc9a97399cea5568f20b29e/html5/thumbnails/22.jpg)
Data Science – The Science
22
"..., [we are] leI with only one op$on, [we] gonna have to science the shit out of this." (Marc Watney, SOL 71)
…
Categoria
l Already available in Splunk or Machine Learning Toolkit
![Page 23: Anomaly*DetecJon*On*Business*Items*With* … · Selecon *Of*Catalogs* 6 1950 1957 1964 1970 1986 1987 1991 1993 1994 1995 1995 2004 2005 2006 2009 2010](https://reader035.vdocuments.site/reader035/viewer/2022071011/5fc9a97399cea5568f20b29e/html5/thumbnails/23.jpg)
Data Science – The Science
23
… Ca
tegoria
l Already available in Splunk> or Machine Learning Toolkit
For beginners: -‐ Transform to categorial -‐ Use staJsJc funcJons of splunk ML Toolkit used for thesis: -‐ Known algorithms -‐ Great variaty of algorithms Train only with a sample (70%): -‐ Overfivng is a risk -‐ Model could get too accustomed to data
![Page 24: Anomaly*DetecJon*On*Business*Items*With* … · Selecon *Of*Catalogs* 6 1950 1957 1964 1970 1986 1987 1991 1993 1994 1995 1995 2004 2005 2006 2009 2010](https://reader035.vdocuments.site/reader035/viewer/2022071011/5fc9a97399cea5568f20b29e/html5/thumbnails/24.jpg)
Data Science – The Science
24
Classifica$on Error
Classifica$on Error
Logis$c
Logis$c
Results Predic$onaccuracy (on trained data)
Results Predic$onaccuracy (on test data)
Evaluate the results to rank the algorithms: | `confusionmatrix("behavior","predicted(behavior)")`
Documenta$on of ML Toolkit: hXp://docs.splunk.com/DocumentaJon/MLApp/latest/User/ Especially the commands: | sample rate=0.7 | fit "MyModel" … | apply "MyModel" …
![Page 25: Anomaly*DetecJon*On*Business*Items*With* … · Selecon *Of*Catalogs* 6 1950 1957 1964 1970 1986 1987 1991 1993 1994 1995 1995 2004 2005 2006 2009 2010](https://reader035.vdocuments.site/reader035/viewer/2022071011/5fc9a97399cea5568f20b29e/html5/thumbnails/25.jpg)
Data Science – The Science
25
| eval predictedAnomaly=if('predicted(behavior)'=="Anomaly", count, null) | table _Jme, count, predictedAnomaly
Visualize the predic$ons to understand found anomalies.
![Page 26: Anomaly*DetecJon*On*Business*Items*With* … · Selecon *Of*Catalogs* 6 1950 1957 1964 1970 1986 1987 1991 1993 1994 1995 1995 2004 2005 2006 2009 2010](https://reader035.vdocuments.site/reader035/viewer/2022071011/5fc9a97399cea5568f20b29e/html5/thumbnails/26.jpg)
Data Science – The Process
26
What is the scienJfic goal? What would you do if you had all data?
What do you want to predict or estamate?
GET the data
EXPLORE the data
MODEL the data
Ask an interesJng
quesJon
Communicate and visualize the results
How was the data sampled? Which data is relevant?
Are there privacy issues?
Plot the data. Are there anomalies? Are there pa]erns?
Build a model. Fit the model.
Validate the model.
What did we learn? Do the results make sense?
Can we tell a story?
![Page 27: Anomaly*DetecJon*On*Business*Items*With* … · Selecon *Of*Catalogs* 6 1950 1957 1964 1970 1986 1987 1991 1993 1994 1995 1995 2004 2005 2006 2009 2010](https://reader035.vdocuments.site/reader035/viewer/2022071011/5fc9a97399cea5568f20b29e/html5/thumbnails/27.jpg)
GET the data.
EXPLORE the data.
MODEL the data.
Ask an interesJng
quesJon
Communicate and visualize the results.
The Data Science Process
27
Translated to Splunk Technology • What type of informaJon is available? • Use Case • Business Case • Predict or estamate • How to present the data?
![Page 28: Anomaly*DetecJon*On*Business*Items*With* … · Selecon *Of*Catalogs* 6 1950 1957 1964 1970 1986 1987 1991 1993 1994 1995 1995 2004 2005 2006 2009 2010](https://reader035.vdocuments.site/reader035/viewer/2022071011/5fc9a97399cea5568f20b29e/html5/thumbnails/28.jpg)
The Data Science Process
28
Translated to Splunk Technology • LocaJon of the data
– Log Files –> Universal Forwarder – Databases –> DB Connect – ApplicaJons -‐> hXp Collector, REST – Other sources –> REST, HEC, SYSLOG…
• Verify the data – Field-‐ExtracJons – CIM compliance
• Permissions – Users / Roles – Indexes
GET the data
EXPLORE the data.
MODEL the data.
Ask an interesJng
quesJon
Communicate and visualize the results.
![Page 29: Anomaly*DetecJon*On*Business*Items*With* … · Selecon *Of*Catalogs* 6 1950 1957 1964 1970 1986 1987 1991 1993 1994 1995 1995 2004 2005 2006 2009 2010](https://reader035.vdocuments.site/reader035/viewer/2022071011/5fc9a97399cea5568f20b29e/html5/thumbnails/29.jpg)
GET the data
EXPLORE the data
MODEL the data.
Ask an interesJng
quesJon
Communicate and visualize the results.
The Data Science Process
29
Translated to Splunk Technology • Plot the data
– IdenJfy paXerns with the paXerns tab – Searching for anomalies
ê correlate ê associate ê analyzefields ê cluster / kmeans ê anomalies ê anomalousvalue
![Page 30: Anomaly*DetecJon*On*Business*Items*With* … · Selecon *Of*Catalogs* 6 1950 1957 1964 1970 1986 1987 1991 1993 1994 1995 1995 2004 2005 2006 2009 2010](https://reader035.vdocuments.site/reader035/viewer/2022071011/5fc9a97399cea5568f20b29e/html5/thumbnails/30.jpg)
GET the data
EXPLORE the data
MODEL the data
Ask an interesJng
quesJon
Communicate and visualize the results.
The Data Science Process
30
Translated to Splunk Technology • Splunk cerJfied App – Machine Learning Toolkit and
Showcase ê need Splunk 6.4 ê need Python for ScienJfic CompuJng
– Splunk IT Service Intelligence • 3rd party vendors
– Prelert Anomaly DetecJve® App for Splunk®
![Page 31: Anomaly*DetecJon*On*Business*Items*With* … · Selecon *Of*Catalogs* 6 1950 1957 1964 1970 1986 1987 1991 1993 1994 1995 1995 2004 2005 2006 2009 2010](https://reader035.vdocuments.site/reader035/viewer/2022071011/5fc9a97399cea5568f20b29e/html5/thumbnails/31.jpg)
GET the data
EXPLORE the data
MODEL the data
Ask an interesJng
quesJon
Communicate and visualize the results
The Data Science Process
31
Communicate and visualize • Use Splunk Apps VisualizaJon
• Create your own Views and Dashboards • Talk to the requester • Verify outcome • Deploy to producJon
• EsJmate the knowledge • If needed restart the loop and include
the new findings
![Page 32: Anomaly*DetecJon*On*Business*Items*With* … · Selecon *Of*Catalogs* 6 1950 1957 1964 1970 1986 1987 1991 1993 1994 1995 1995 2004 2005 2006 2009 2010](https://reader035.vdocuments.site/reader035/viewer/2022071011/5fc9a97399cea5568f20b29e/html5/thumbnails/32.jpg)
Results
![Page 33: Anomaly*DetecJon*On*Business*Items*With* … · Selecon *Of*Catalogs* 6 1950 1957 1964 1970 1986 1987 1991 1993 1994 1995 1995 2004 2005 2006 2009 2010](https://reader035.vdocuments.site/reader035/viewer/2022071011/5fc9a97399cea5568f20b29e/html5/thumbnails/33.jpg)
GET the data
EXPLORE the data
MODEL the data
Ask an interesJng
quesJon
Communicate and visualize the results
Data Science – The Process
33
Technologies that have been analyzed • Prelert Anomaly DetecJve® App for Splunk®
• Machine Learning Toolkit and Showcase – need Splunk 6.4 – need Python for ScienJfic CompuJng
• Splunk IT Service Intelligence
![Page 34: Anomaly*DetecJon*On*Business*Items*With* … · Selecon *Of*Catalogs* 6 1950 1957 1964 1970 1986 1987 1991 1993 1994 1995 1995 2004 2005 2006 2009 2010](https://reader035.vdocuments.site/reader035/viewer/2022071011/5fc9a97399cea5568f20b29e/html5/thumbnails/34.jpg)
Main Findings Of The CollaboraJon
34
Companies have a huge interest in idenJfying anomalies, but most of them are sJll in the process of understanding and preparing their data.
C. Günther (LC Systems)
A simple approach to anomaly detecJon is to use the staJc methods integrated in splunk>. If you want to use ML algorithms for that, the ML Toolkit or the Anomaly DetecJve App (Prelert) is recommended.
P. Drieger (Splunk)
You need a baseline to use your data for anomaly detecJon, because you have to define whats "normal".
M. Borner (LC Systems)
![Page 35: Anomaly*DetecJon*On*Business*Items*With* … · Selecon *Of*Catalogs* 6 1950 1957 1964 1970 1986 1987 1991 1993 1994 1995 1995 2004 2005 2006 2009 2010](https://reader035.vdocuments.site/reader035/viewer/2022071011/5fc9a97399cea5568f20b29e/html5/thumbnails/35.jpg)
Thanks To
![Page 36: Anomaly*DetecJon*On*Business*Items*With* … · Selecon *Of*Catalogs* 6 1950 1957 1964 1970 1986 1987 1991 1993 1994 1995 1995 2004 2005 2006 2009 2010](https://reader035.vdocuments.site/reader035/viewer/2022071011/5fc9a97399cea5568f20b29e/html5/thumbnails/36.jpg)
What Now?
36
Splunk for Donuts – Intermediate – Thurstday|2:35PM Solve Big Problems with ML – Advanced – Thursday|1:30PM PredicJng Incidents with ML – Advanced – Thursday|2:35PM
Splunk UBA – A Data ScienJst in a Box – Beginner – Tuesday A (VERY) Brief IntroducJon to ML – Beginner – Wednesday DemysJfying ML and Anomaly Det. – Intermediate -‐ Wednesday
Related breakout sessions and acJviJes…
![Page 37: Anomaly*DetecJon*On*Business*Items*With* … · Selecon *Of*Catalogs* 6 1950 1957 1964 1970 1986 1987 1991 1993 1994 1995 1995 2004 2005 2006 2009 2010](https://reader035.vdocuments.site/reader035/viewer/2022071011/5fc9a97399cea5568f20b29e/html5/thumbnails/37.jpg)
THANK YOU
![Page 38: Anomaly*DetecJon*On*Business*Items*With* … · Selecon *Of*Catalogs* 6 1950 1957 1964 1970 1986 1987 1991 1993 1994 1995 1995 2004 2005 2006 2009 2010](https://reader035.vdocuments.site/reader035/viewer/2022071011/5fc9a97399cea5568f20b29e/html5/thumbnails/38.jpg)
Backup
![Page 39: Anomaly*DetecJon*On*Business*Items*With* … · Selecon *Of*Catalogs* 6 1950 1957 1964 1970 1986 1987 1991 1993 1994 1995 1995 2004 2005 2006 2009 2010](https://reader035.vdocuments.site/reader035/viewer/2022071011/5fc9a97399cea5568f20b29e/html5/thumbnails/39.jpg)
Architecture
![Page 40: Anomaly*DetecJon*On*Business*Items*With* … · Selecon *Of*Catalogs* 6 1950 1957 1964 1970 1986 1987 1991 1993 1994 1995 1995 2004 2005 2006 2009 2010](https://reader035.vdocuments.site/reader035/viewer/2022071011/5fc9a97399cea5568f20b29e/html5/thumbnails/40.jpg)
40