You can view the On-Demand recording at the link above and slide deck here, but here is a sampling of questions covered in the event.
Q1: Can you help me understand the two different types of anomaly detection in ITSI?
A: Anomaly Detection within Splunk ITSI uses machine learning to detect trend & event level anomalies, and alert teams. ITSI analyzes when data deviates from expected patterns, thresholds, and historical behavior to provide insights into detected patterns & uncover new patterns across multiple events that could indicate a potential issue.
- Entity cohesion anomaly detection analyzes asset data in a peer group, and identifies when some deviate from their common behavior
- Trending anomaly detection analyzes patterns in events for both sudden changes, and long-trending historical anomalies
Documentation:
Q2: What is adaptive thresholding and why is it important?
A: In Splunk ITSI, adaptive thresholding is a feature that uses machine learning to dynamically adjust alert thresholds based on historical data patterns, rather than relying on static, unchanging values. This allows for more accurate anomaly detection in environments where data behavior fluctuates over time. By analyzing trends and normal variations, adaptive thresholds reduce false positives and missed alerts, ensuring that operational teams are notified of genuine issues even as the baseline behavior changes.
- Reduced false positives
- Improved anomaly detection
- More accurate alerting
- Time-saving
Documentation:
Q3: How do I configure and enable the Notable Event Aggregation Policy? (NEAP)
A: What is a NEAP?
- Notable event aggregation policy is the fundamental unit of event grouping in ITSI. NEAPs are the data structure the Rules Engine uses to group notable events into deduplicated episodes and organize them in Episode Review.
- These episodes have their own title, description, severity, status, and assignee that are separate from the individual notable events within the episode. Aggregation policies are also the container for action rules that automate episode actions, such as sending an email or pinging a host.
How to configure & enable NEAPs?
- Configuration > Event Management > Notable Event Aggregation Policies > Create NEAP
- Ships with default NEAP -> default policy only receives notable events matching no other aggregation policy's filtering criteria
- Content Pack for Monitoring & Alerting
Documentation:
Q4: What are some tips to reduce alert noise?
A:
- Optimize alert grouping with Event Aggregation
- Improve Alert Hygiene (get your thresholds right)
- Enrich Entity metadata
- Ensure your KPIs are relevant and meaningful
- Leverage the Content Pack for Monitoring and Alerting contains tools to analyze your episodes and alerts
Documentation:
Q5: Can we learn more about ITSI integrations with Teams and Slack?
A: Splunk ITSI’s Teams and Slack integrations are Splunk-supported & maintained, available on the Splunkbase website. The integrations (content packs) do way more than help notify teams:
- They streamline automatic alerting for correlated events and service health notifications
- They support actions and workflows within Teams and Slack, like posting messages, getting info about users, or even starting a SlackBot and making health checks
- In Teams, configure potential actions that allow for 3rd-party interactions between Splunk or a 3rd-party app from Teams
Documentation:
(Check here for troubleshooting Teams)
| Updated on
