Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Anomaly or Trend detection and then trigger an alert

mkrauss1
Explorer
‎04-05-2018 02:04 PM

Assume i have daily records about an amount of keys.
What would be the search to trigger an alert condition if changes are seen by say +/- 10% ?

Sample records, the best case case would be if the alert get triggered at 31-03-2018, the sooner the better.

14-03-2018 05:15:20 KEYS=663312
15-03-2018 05:15:17 KEYS=652278
16-03-2018 05:15:21 KEYS=665166
17-03-2018 05:15:21 KEYS=665034
18-03-2018 05:15:22 KEYS=664038
19-03-2018 05:15:21 KEYS=664266
20-03-2018 05:15:21 KEYS=663948
21-03-2018 05:15:22 KEYS=665178
22-03-2018 05:15:24 KEYS=666198
23-03-2018 05:15:24 KEYS=665106
24-03-2018 05:15:20 KEYS=663720
25-03-2018 23:15:19 KEYS=663912
26-03-2018 23:15:22 KEYS=665148
27-03-2018 23:15:22 KEYS=664476
28-03-2018 05:15:21 KEYS=663828
29-03-2018 23:15:16 KEYS=651597
30-03-2018 05:15:21 KEYS=650331
31-03-2018 05:14:16 KEYS=420530
01-04-2018 05:14:17 KEYS=419333
02-04-2018 05:14:14 KEYS=416444
03-04-2018 05:14:17 KEYS=416354
04-04-2018 05:14:12 KEYS=409496
05-04-2018 05:14:13 KEYS=409544

I tried something like

  • KEYS| timechart avg(KEYS) as Size | anomalydetection action=summary

The outup field num_anomalies from anomalydetection would be perfect to use as an alert trigger but the number is constant. Something is wrong here.

Any ideas please?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

skoelpin
SplunkTrust
SplunkTrust
‎04-05-2018 05:20 PM

From a very basic approach, you can find the average of all numbers then use an eval to multiply the upper and lower boundries then set an alert on it like this

This will just get you started. You will also need to find the standard deviation and set your boundries

base search 
| timechart avg(KEYS) AS Keys
| eval Upper=Keys*1.1
| eval Lower=Keys*0.9
|  timechart avg(Keys) AS pred max(upper) AS upper max(lower) AS lower
|  eval anomoaly_upper=if('pred'>'upper',"Alert - High Value","")
|  eval anomoaly_lower=if('pred'<'lower',"Alert - Low Value","")

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

skoelpin
SplunkTrust
SplunkTrust
‎04-05-2018 05:20 PM

From a very basic approach, you can find the average of all numbers then use an eval to multiply the upper and lower boundries then set an alert on it like this

This will just get you started. You will also need to find the standard deviation and set your boundries

base search 
| timechart avg(KEYS) AS Keys
| eval Upper=Keys*1.1
| eval Lower=Keys*0.9
|  timechart avg(Keys) AS pred max(upper) AS upper max(lower) AS lower
|  eval anomoaly_upper=if('pred'>'upper',"Alert - High Value","")
|  eval anomoaly_lower=if('pred'<'lower',"Alert - Low Value","")
0 Karma
Reply
Solved! Jump to solution

mkrauss1
Explorer
‎04-06-2018 12:50 AM

Thank you for this basic approach, this is what i'm looking for. However, i thought that Splunk has this kind
of functions already in place.

0 Karma
Reply
Solved! Jump to solution

skoelpin
SplunkTrust
SplunkTrust
‎04-06-2018 07:00 AM

Not out of the box, you would either have to build it in core SPL like we did above or you would need to use the MLTK.

0 Karma
Reply
Get Updates on the Splunk Community!

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Splunk Education Goes to Washington | Splunk GovSummit 2024

If you’re in the Washington, D.C. area, this is your opportunity to take your career and Splunk skills to the ...