Optimizing the patterning is critical in order for the anomaly detection to work properly.
For each of your main Source Types check the 'Clustering':
Under "Settings" >> "Add and Manage Data" >> "Source Types":
- Select from the right hand menu the "Clusters" option.
- Review the summary line in the bottom of the screen (please scroll down), and make sure there are no errors.
- Click on the "i" next to "Patterns". It will present all the patterns generated in the sample. Make sure there are no redundant patterns. Create additional regular expressions to handle those cases.
- A good cluster ratio should be at least 85% (the example above shows 32% which is very problematic).