Selecting the Population job wizard will enable us to compare entities against each other. This can be especially useful if we expect most entities to behave similarly, and we want to find cases of outlier behavior. It is also handy when it is impractical to individually model every entity over all time, because either the entity's behavior is sparse (comes and goes) or the total number of entities is so large that modeling them individually is impractical given a finite amount of compute space.

As such, we could imagine a use case in which we want to find processes that use more CPU than the typical process on our system. To create this job, choose the Population job wizard and select something as shown in the following screenshot:

Here, we have specified that tsystem.process.name is the field that defines the population; all processes running on the system will be pitted against each other for their behavior—specifically, in terms of the amount of CPU utilized (here, we select the High mean of the system.process.cpu.total.pct field. Notice that tbeat.hostname was also chosen as a candidate influencer. We will see how that worked out in the results.

Running this job gives the following example results:

We can see that the process stress was found to be hogging the CPU unusually (at 11 times higher than the typical process). Additionally, we are shown that the poipu hostname was influential to this anomaly. In other words, this is the machine name running the process called stress—pretty handy that it was found despite not being part of the actual anomaly detection itself!

If we click on the square in the heat map associated with our anomalous process, we can see the details:

Notice that this visualization is slightly different than seen for multi-metric jobs. It shows the samples of the entity in the context of a sample of the behavior of other entities so that we can more intuitively judge the reason why an entity was unusual compared to its peers.