topic Re: Anomaly or Trend detection and then trigger an alert in Alerting

Anomaly or Trend detection and then trigger an alert

mkrauss1 — Thu, 05 Apr 2018 21:04:50 GMT

Assume i have daily records about an amount of keys.
What would be the search to trigger an alert condition if changes are seen by say +/- 10% ?

Sample records, the best case case would be if the alert get triggered at 31-03-2018, the sooner the better.

14-03-2018 05:15:20 KEYS=663312
15-03-2018 05:15:17 KEYS=652278
16-03-2018 05:15:21 KEYS=665166
17-03-2018 05:15:21 KEYS=665034
18-03-2018 05:15:22 KEYS=664038
19-03-2018 05:15:21 KEYS=664266
20-03-2018 05:15:21 KEYS=663948
21-03-2018 05:15:22 KEYS=665178
22-03-2018 05:15:24 KEYS=666198
23-03-2018 05:15:24 KEYS=665106
24-03-2018 05:15:20 KEYS=663720
25-03-2018 23:15:19 KEYS=663912
26-03-2018 23:15:22 KEYS=665148
27-03-2018 23:15:22 KEYS=664476
28-03-2018 05:15:21 KEYS=663828
29-03-2018 23:15:16 KEYS=651597
30-03-2018 05:15:21 KEYS=650331
31-03-2018 05:14:16 KEYS=420530
01-04-2018 05:14:17 KEYS=419333
02-04-2018 05:14:14 KEYS=416444
03-04-2018 05:14:17 KEYS=416354
04-04-2018 05:14:12 KEYS=409496
05-04-2018 05:14:13 KEYS=409544

I tried something like

KEYS| timechart avg(KEYS) as Size | anomalydetection action=summary

The outup field num_anomalies from anomalydetection would be perfect to use as an alert trigger but the number is constant. Something is wrong here.

Any ideas please?

Re: Anomaly or Trend detection and then trigger an alert

skoelpin — Fri, 06 Apr 2018 00:20:25 GMT

From a very basic approach, you can find the average of all numbers then use an eval to multiply the upper and lower boundries then set an alert on it like this

This will just get you started. You will also need to find the standard deviation and set your boundries

base search 
| timechart avg(KEYS) AS Keys
| eval Upper=Keys*1.1
| eval Lower=Keys*0.9
|  timechart avg(Keys) AS pred max(upper) AS upper max(lower) AS lower
|  eval anomoaly_upper=if('pred'>'upper',"Alert - High Value","")
|  eval anomoaly_lower=if('pred'<'lower',"Alert - Low Value","")

Re: Anomaly or Trend detection and then trigger an alert

mkrauss1 — Fri, 06 Apr 2018 07:50:27 GMT

Thank you for this basic approach, this is what i'm looking for. However, i thought that Splunk has this kind
of functions already in place.

Re: Anomaly or Trend detection and then trigger an alert

skoelpin — Fri, 06 Apr 2018 14:00:34 GMT

Not out of the box, you would either have to build it in core SPL like we did above or you would need to use the MLTK.