In a previous blog, I showed how easy it is to analyze multiple metrics simultaneously by adding multiple “detectors” to your job configuration definition for the Anomaly Detective Engine API. Now, let’s take it a step further by expanding analysis across instances of things by using “byFieldName” and “partitionFieldName.”
The concepts of the “by field” and "partition field" were originally developed for the Anomaly Detective Splunk app. In Splunk, there is a notion of a “group by clause” where one can get separate instances of things simply by naming them in the by-clause, and partition fields are specified using the "partitionfield=<fieldname>" option to the prelertautodetect command. In the Engine API, you can leverage the same capabilities using “byFieldName” and “partitionFieldName." I'll elaborate on the difference between these in a future post, but for now let’s just jump to a simple example.