topic Re: Anomaly Detection on a Key list of fields in Getting Data In

Anomaly Detection on a Key list of fields

koshyk — Mon, 18 Jan 2021 13:18:58 GMT

Our system currently has grown over time with 1000's of enrichments, TA and custom apps. We were planning to upgrade Splunk to another version and wanted to do as much testing automated

So i've developed plan to pump Live data pre & post change in TEST machine thus detecting the important fields, eventtypes, tags are working correctly. But this measurement is done manually

Is there an easy way or module to detect such anomalies or divergence if we give a set of "fields" it should detect for?

For example, what i'm looking for is

# set of key-fields user eventtypes tags host

I need to detect if the values of these `key-fields` have dramatically changed between two cycles (or dates), thus we can say a particular TA or upgrade caused to break those fields

Re: Anomaly Detection on a Key list of fields

ITWhisperer — Mon, 18 Jan 2021 13:38:07 GMT

Machine Learning Toolkit (MLTK) might give you what you need, although you will still have to invest some time developing and evaluating your models before they can reliably be used to detect anomalies.

Re: Anomaly Detection on a Key list of fields

koshyk — Tue, 26 Jan 2021 08:23:36 GMT

I did check in MLTK thoroughly now, but nothing inbuilt for Splunk own sourcetypes/eventtypes/fields

So it is a generic which I've to build up. hopefully will see if anyone else have built-up on such deviations for Splunk's own fields