All Apps and Add-ons

TrackMe - Data source monitoring - Outliers not compatible with event count in index

SaraO
Engager

Hello,

Last week I started with TrackMe App and so far I'm really impressed with all prebuild functionality.

In the last days I was going through configurations step by step and applied them on data. Today I found some alerts due to outliers in sourcetypes, my problem is that in some cases I don't understand, why the eventcount in the outlierdetection got that high, because searching for index data in that time range is telling me everything is normal and the count is not that high as "detected".

 

Below is the detected outlier with a count of 22:

SaraO_0-1615547598188.png

But indexed data is still at an eventcount of 1:

SaraO_3-1615549046455.png

Where is the count of 22 coming from?

How to investigate on this, is there something that I maybe configured the wrong way?

 

 

Many thanks and happy splunking,

Sara 

Labels (2)
0 Karma
1 Solution

guilmxm
SplunkTrust
SplunkTrust

@SaraO 

This use case is totally relevant and addressed in TrackMe, in different ways.

- Has data stopped being indexed for a source?

--> This is the purpose of one the main KPIs, called event lagging in TrackMe, basically the difference between now (when the tracker runs) and the latest event in the scope of the data source (from the _time point of view)

- Unsual volume?

--> Is the scope of outliers too, so no pb with that.

I was essentially saying this source wasn't a great candidate because of the very few events, but still that remains valid

View solution in original post

guilmxm
SplunkTrust
SplunkTrust

Hi @SaraO 

Thank you 😉 Glad you like the richness of TrackMe!

Document reference:
https://trackme.readthedocs.io/en/latest/userguide.html#outliers-detection-and-behaviour-analytic

To answer:

- The outliers eventcount is a per 4 hour count, so it will not exactly match what you would see in Splunk unless you reproduce the way it the outlier calculation works
- Not very sure where the 22 came from based on your screenshots, because of the time rounding you should look a bit more than the last 24 hours to check
- This data source is unlikely to be a great candidate for outliers detections, the features is very much designed for continous and real time data flow more than this very specific use case that is going to very sporidically generate a single event per server, not saying you cannot get value from the outliers this case, you can, but it's certainly not the most valuable case
- Not that the outliers detection workflow in TrackMe does not alert for the upper outliers by default, only the lower bound threshold by default, upper threshold is something you enabled on a per entity basis if you wish to do so

Let me know if anymore questions 😉

Guilhem





SaraO
Engager

Hi @guilmxm ,

Thank you for your response 🙂

Do you maybe have a recommendation how to configure outliers detection for data sources giving data every 12/24 hours?

I would like to monitor upon all data sources unusual volume behavior; either data is not coming anymore for a source or data is coming way much more than usually  (due to some changes, unexpected activity, ...)

Regards

Sara

0 Karma

guilmxm
SplunkTrust
SplunkTrust

@SaraO 

This use case is totally relevant and addressed in TrackMe, in different ways.

- Has data stopped being indexed for a source?

--> This is the purpose of one the main KPIs, called event lagging in TrackMe, basically the difference between now (when the tracker runs) and the latest event in the scope of the data source (from the _time point of view)

- Unsual volume?

--> Is the scope of outliers too, so no pb with that.

I was essentially saying this source wasn't a great candidate because of the very few events, but still that remains valid

Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...