To detect anomalies, you can use a prediction and anomaly detection function to predict time series curves and identify the Ksigma and quantiles of the errors between a predicted curve and an actual curve.
 Log Service Machine Learning Introduction (01): Time Series Statistics Modeling
 Log Service Machine Learning Introduction (03): Time Series Anomaly Detection Modeling
 Log Service Machine Learning Introduction (05): Time Series Prediction
 Log Service Machine Learning Best Practices: Time Series Anomaly Detection and Alert
Functions
Function  Description 

ts_predicate_simple 
Uses default parameters to model time series data and performs simple time series prediction and anomaly detection. 
ts_predicate_ar 
Uses an autoregressive (AR) model to model time series data and performs simple time series prediction and anomaly detection. 
ts_predicate_arma 
Uses an autoregressive moving average (ARMA) model to model time series data and performs simple time series prediction and anomaly detection. 
ts_predicate_arima 
Uses an autoregressive integrated moving average (ARIMA) model to model time series data and performs simple time series prediction and anomaly detection. 
ts_regression_predict 
Accurately predicts the longrun trend for a single periodic time series with a certain
tendency.
Scenario: This function can be used to predict metering data, network traffic, financial data, and different business data that follows certain rules. 
ts_anomaly_filter 
Filters the anomalies detected during time series anomaly detection on multiple curves based on the custom anomaly mode. This function helps you quickly find abnormal instance curves. 
ts_predicate_simple
select ts_predicate_simple(x, y, nPred, isSmooth, samplePeriod, sampleMethod)
Parameter  Description  Value 

x  The time sequence. The time points along the x axis are sorted in ascending order.  Each time point is a Unix timestamp. Unit: second. 
y  The sequence of the numeric values of the property under observation, corresponding to the specified time points.  N/A 
nPred  The number of points for prediction.  The value is of the Long type. Valid values: [1, 5 × p]. 
isSmooth  Specifies whether to filter the raw data.
If you do not set this parameter, the default value true is used, indicating that the raw data will be filtered. 
The value is of the Boolean type. Valid values:

samplePeriod  The period during which the current time series data is sampled.  The value is of the Long type. Valid values: [1, 86399]. 
sampleMethod  The method for sampling the data in the sampling window.  Valid values:


The statement for query and analysis is as follows:
*  select ts_predicate_simple(stamp, value, 6, 1, 'avg') from (select __time__  __time__ % 60 as stamp, avg(v) as value from log GROUP BY stamp order by stamp)

The following figure shows the output result:
Display item  Description  

Horizontal axis  unixtime  The Unix timestamp of the data. Unit: second. 
Vertical axis  src  The raw data. 
predict  The data after filtering.  
upper  The upper limit of the prediction. By default, the confidence level is 0.85, which cannot be modified.  
lower  The lower limit of the prediction. By default, the confidence level is 0.85, which cannot be modified.  
anomaly_prob  The probability that the point is an anomaly. Valid values: [0, 1]. 
ts_predicate_ar
select ts_predicate_ar(x, y, p, nPred, isSmooth, samplePeriod, sampleMethod)
Parameter  Description  Value 

x  The time sequence. The time points along the x axis are sorted in ascending order.  Each time point is a Unix timestamp. Unit: second. 
y  The sequence of the numeric values of the property under observation, corresponding to the specified time points.  N/A 
p  The order of the AR model.  The value is of the Long type. Valid values: [2, 8]. 
nPred  The number of points for prediction.  The value is of the Long type. Valid values: [1, 5 × p]. 
isSmooth  Specifies whether to filter the raw data.
If you do not set this parameter, the default value true is used, indicating that the raw data will be filtered. 
The value is of the Boolean type. Valid values:

samplePeriod  The period during which the current time series data is sampled.  The value is of the Long type. Valid values: [1, 86399]. 
sampleMethod  The method for sampling the data in the sampling window.  Valid values:

*  select ts_predicate_ar(stamp, value, 3, 4, 1, 'avg') from (select __time__  __time__ % 60 as stamp, avg(v) as value from log GROUP BY stamp order by stamp)
ts_predicate_arma
select ts_predicate_arma(x, y, p, q, nPred, isSmooth, samplePeriod, sampleMethod)
Parameter  Description  Value 

x  The time sequence. The time points along the x axis are sorted in ascending order.  Each time point is a Unix timestamp. Unit: second. 
y  The sequence of the numeric values of the property under observation, corresponding to the specified time points.  N/A 
p  The order of the AR model.  The value is of the Long type. Valid values: [2, 100]. 
q  The order of the ARMA model.  The value is of the Long type. Valid values: [2, 8]. 
nPred  The number of points for prediction.  The value is of the Long type. Valid values: [1, 5 × p]. 
isSmooth  Specifies whether to filter the raw data.
If you do not set this parameter, the default value true is used, indicating that the raw data will be filtered. 
The value is of the Boolean type. Valid values:

samplePeriod  The period during which the current time series data is sampled.  The value is of the Long type. Valid values: [1, 86399]. 
sampleMethod  The method for sampling the data in the sampling window.  Valid values:

*  select ts_predicate_arma(stamp, value, 3, 2, 4, 1, 'avg') from (select __time__  __time__ % 60 as stamp, avg(v) as value from log GROUP BY stamp order by stamp)
ts_predicate_arima
select ts_predicate_arima(x, y, p, d, qnPred, isSmooth, samplePeriod, sampleMethod)
Parameter  Description  Value 

x  The time sequence. The time points along the x axis are sorted in ascending order.  Each time point is a Unix timestamp. Unit: second. 
y  The sequence of the numeric values of the property under observation, corresponding to the specified time points.  N/A 
p  The order of the AR model.  The value is of the Long type. Valid values: [2, 8]. 
d  The order of the ARIMA model.  The value is of the Long type. Valid values: [1, 3]. 
q  The order of the ARMA model.  The value is of the Long type. Valid values: [2, 8]. 
nPred  The number of points for prediction.  The value is of the Long type. Valid values: [1, 5 × p]. 
isSmooth  Specifies whether to filter the raw data.
If you do not set this parameter, the default value true is used, indicating that the raw data will be filtered. 
The value is of the Boolean type. Valid values:

samplePeriod  The period during which the current time series data is sampled.  The value is of the Long type. Valid values: [1, 86399]. 
sampleMethod  The method for sampling the data in the sampling window.  Valid values:

*  select ts_predicate_arima(stamp, value, 3, 1, 2, 4, 1, 'avg') from (select __time__  __time__ % 60 as stamp, avg(v) as value from log GROUP BY stamp order by stamp)
ts_regression_predict
select ts_regression_predict(x, y, nPred, algo_type,processType, samplePeriod, sampleMethod)
Parameter  Description  Value 

x  The time sequence. The time points along the x axis are sorted in ascending order.  Each time point is a Unix timestamp. Unit: second. 
y  The sequence of the numeric values of the property under observation, corresponding to the specified time points.  N/A 
nPred  The number of points for prediction.  The value is of the Long type. Valid values: [1, 500]. 
algo_type  The algorithm type for prediction.  Valid values:

processType  Specifies whether to preprocess the data. 

samplePeriod  The period during which the current time series data is sampled.  The value is of the Long type. Valid values: [1, 86399]. 
sampleMethod  The method for sampling the data in the sampling window.  Valid values:


The statement for query and analysis is as follows:
* and h : nu2h05202.nu8 and m: NET  select ts_regression_predict(stamp, value, 200, 'origin', 1, 'avg') from (select __time__  __time__ % 60 as stamp, avg(v) as value from log GROUP BY stamp order by stamp)

The following figure shows the output result:
Display item  Description  

Horizontal axis  unixtime  The Unix timestamp of the data. Unit: second. 
Vertical axis  src  The raw data. 
predict  The predicted data. 
ts_anomaly_filter
select ts_anomaly_filter(lineName, ts, ds, preds, probs, nWatch, anomalyType)
Parameter  Description  Value 

lineName  The name of each curve. The value is of the Varchar type.  N/A 
ts  The time sequence of the curve. The value is an array of the Double type. The time points are sorted in ascending order.  N/A 
ds  The actual value sequence of the curve. The value is an array of the Double type. The actual values correspond to the time points specified by the ts parameter in onetoone mode.  N/A 
preds  The predicted value sequence of the curve. The value is an array of the Double type. The predicted values correspond to the time points specified by the ts parameter in onetoone mode.  N/A 
probs  The anomaly detection result sequence of the curve. The value is an array of the Double type. The anomaly detection results correspond to the time points specified by the ts parameter in onetoone mode.  N/A 
nWatch  The number of the recently observed actual values on the curve. The value is of the Long type. The value must be smaller than the number of time points on the curve.  N/A 
anomalyType  The type of anomaly to be filtered. The value is of the Long type. 


The statement for query and analysis is as follows:
*  select res.name, res.ts, res.ds, res.preds, res.probs from ( select ts_anomaly_filter(name, ts, ds, preds, probs, cast(5 as bigint), cast(1 as bigint)) as res from ( select name, res[1] as ts, res[2] as ds, res[3] as preds, res[4] as uppers, res[5] as lowers, res[6] as probs from ( select name, array_transpose(ts_predicate_ar(stamp, value, 10)) as res from ( select name, stamp, value from log where name like '%asg%') group by name)) );

The output result is as follows:
 name  ts  ds  preds  probs              asgbp1hylzdi2wx7civ0ivk  [1.5513696E9, 1.5513732E9, 1.5513768E9, 1.5513804E9]  [1,2,3,NaN]  [1,2,3,4]  [0,0,1,NaN] 