Alerting

Anomaly or Trend detection and then trigger an alert

mkrauss1
Explorer

Assume i have daily records about an amount of keys.
What would be the search to trigger an alert condition if changes are seen by say +/- 10% ?

Sample records, the best case case would be if the alert get triggered at 31-03-2018, the sooner the better.

14-03-2018 05:15:20 KEYS=663312
15-03-2018 05:15:17 KEYS=652278
16-03-2018 05:15:21 KEYS=665166
17-03-2018 05:15:21 KEYS=665034
18-03-2018 05:15:22 KEYS=664038
19-03-2018 05:15:21 KEYS=664266
20-03-2018 05:15:21 KEYS=663948
21-03-2018 05:15:22 KEYS=665178
22-03-2018 05:15:24 KEYS=666198
23-03-2018 05:15:24 KEYS=665106
24-03-2018 05:15:20 KEYS=663720
25-03-2018 23:15:19 KEYS=663912
26-03-2018 23:15:22 KEYS=665148
27-03-2018 23:15:22 KEYS=664476
28-03-2018 05:15:21 KEYS=663828
29-03-2018 23:15:16 KEYS=651597
30-03-2018 05:15:21 KEYS=650331
31-03-2018 05:14:16 KEYS=420530
01-04-2018 05:14:17 KEYS=419333
02-04-2018 05:14:14 KEYS=416444
03-04-2018 05:14:17 KEYS=416354
04-04-2018 05:14:12 KEYS=409496
05-04-2018 05:14:13 KEYS=409544

I tried something like

  • KEYS| timechart avg(KEYS) as Size | anomalydetection action=summary

The outup field num_anomalies from anomalydetection would be perfect to use as an alert trigger but the number is constant. Something is wrong here.

Any ideas please?

Tags (1)
0 Karma
1 Solution

skoelpin
SplunkTrust
SplunkTrust

From a very basic approach, you can find the average of all numbers then use an eval to multiply the upper and lower boundries then set an alert on it like this

This will just get you started. You will also need to find the standard deviation and set your boundries

base search 
| timechart avg(KEYS) AS Keys
| eval Upper=Keys*1.1
| eval Lower=Keys*0.9
|  timechart avg(Keys) AS pred max(upper) AS upper max(lower) AS lower
|  eval anomoaly_upper=if('pred'>'upper',"Alert - High Value","")
|  eval anomoaly_lower=if('pred'<'lower',"Alert - Low Value","")

View solution in original post

0 Karma

skoelpin
SplunkTrust
SplunkTrust

From a very basic approach, you can find the average of all numbers then use an eval to multiply the upper and lower boundries then set an alert on it like this

This will just get you started. You will also need to find the standard deviation and set your boundries

base search 
| timechart avg(KEYS) AS Keys
| eval Upper=Keys*1.1
| eval Lower=Keys*0.9
|  timechart avg(Keys) AS pred max(upper) AS upper max(lower) AS lower
|  eval anomoaly_upper=if('pred'>'upper',"Alert - High Value","")
|  eval anomoaly_lower=if('pred'<'lower',"Alert - Low Value","")
0 Karma

mkrauss1
Explorer

Thank you for this basic approach, this is what i'm looking for. However, i thought that Splunk has this kind
of functions already in place.

0 Karma

skoelpin
SplunkTrust
SplunkTrust

Not out of the box, you would either have to build it in core SPL like we did above or you would need to use the MLTK.

0 Karma
Get Updates on the Splunk Community!

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Get Inspired! We’ve Got Validation that Your Hard Work is Paying Off

We love our Splunk Community and want you to feel inspired by all your hard work! Eric Fusilero, our VP of ...