All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

TrackMe - Data source monitoring - Outliers not compatible with event count in index

SaraO
Engager
‎03-12-2021 03:42 AM

Hello,

Last week I started with TrackMe App and so far I'm really impressed with all prebuild functionality.

In the last days I was going through configurations step by step and applied them on data. Today I found some alerts due to outliers in sourcetypes, my problem is that in some cases I don't understand, why the eventcount in the outlierdetection got that high, because searching for index data in that time range is telling me everything is normal and the count is not that high as "detected".

 

Below is the detected outlier with a count of 22:

SaraO_0-1615547598188.png

But indexed data is still at an eventcount of 1:

SaraO_3-1615549046455.png

Where is the count of 22 coming from?

How to investigate on this, is there something that I maybe configured the wrong way?

 

 

Many thanks and happy splunking,

Sara 

Labels (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

guilmxm
Influencer
‎03-17-2021 03:05 PM

@SaraO 

This use case is totally relevant and addressed in TrackMe, in different ways.

- Has data stopped being indexed for a source?

--> This is the purpose of one the main KPIs, called event lagging in TrackMe, basically the difference between now (when the tracker runs) and the latest event in the scope of the data source (from the _time point of view)

- Unsual volume?

--> Is the scope of outliers too, so no pb with that.

I was essentially saying this source wasn't a great candidate because of the very few events, but still that remains valid

View solution in original post

Reply
Solved! Jump to solution

guilmxm
Influencer
‎03-14-2021 05:48 AM

Hi @SaraO 

Thank you 😉 Glad you like the richness of TrackMe!

Document reference:
https://trackme.readthedocs.io/en/latest/userguide.html#outliers-detection-and-behaviour-analytic

To answer:

- The outliers eventcount is a per 4 hour count, so it will not exactly match what you would see in Splunk unless you reproduce the way it the outlier calculation works
- Not very sure where the 22 came from based on your screenshots, because of the time rounding you should look a bit more than the last 24 hours to check
- This data source is unlikely to be a great candidate for outliers detections, the features is very much designed for continous and real time data flow more than this very specific use case that is going to very sporidically generate a single event per server, not saying you cannot get value from the outliers this case, you can, but it's certainly not the most valuable case
- Not that the outliers detection workflow in TrackMe does not alert for the upper outliers by default, only the lower bound threshold by default, upper threshold is something you enabled on a per entity basis if you wish to do so

Let me know if anymore questions 😉

Guilhem





Reply
Solved! Jump to solution

SaraO
Engager
‎03-17-2021 05:41 AM

Hi @guilmxm ,

Thank you for your response 🙂

Do you maybe have a recommendation how to configure outliers detection for data sources giving data every 12/24 hours?

I would like to monitor upon all data sources unusual volume behavior; either data is not coming anymore for a source or data is coming way much more than usually  (due to some changes, unexpected activity, ...)

Regards

Sara

0 Karma
Reply
Solved! Jump to solution
Solution

guilmxm
Influencer
‎03-17-2021 03:05 PM

@SaraO 

This use case is totally relevant and addressed in TrackMe, in different ways.

- Has data stopped being indexed for a source?

--> This is the purpose of one the main KPIs, called event lagging in TrackMe, basically the difference between now (when the tracker runs) and the latest event in the scope of the data source (from the _time point of view)

- Unsual volume?

--> Is the scope of outliers too, so no pb with that.

I was essentially saying this source wasn't a great candidate because of the very few events, but still that remains valid

Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Take Action Automatically on Splunk Alerts with Red Hat Ansible Automation Platform

 Are you ready to revolutionize your IT operations? As digital transformation accelerates, the demand for ...

Calling All Security Pros: Ready to Race Through Boston?

Hey Splunkers, .conf25 is heading to Boston and we’re kicking things off with something bold, competitive, and ...

Beyond Detection: How Splunk and Cisco Integrated Security Platforms Transform ...

Financial services organizations face an impossible equation: maintain 99.9% uptime for mission-critical ...