I have Perf i.e. Performance data (OMS) where CounterName and CounterValues are present for different Computers
So I am running saved search every 15 min. to raise an alert and my criteria is
1. Any computer which shows consistent a specific counter value or range then it is baseline but if deviate for specific interval then should trigger an anomaly. E.g. computer A shows 86% for processor time so, Splunk should not report as anomaly as it is baseline for it but when deviate as shows 96% for next interval then only for that specific time it should report it.
Thanks @msivill_splunk .
I have already used Machine learning toolkit.
I want to compare my query result with old data like last 24 hours data and result out anomaly for last 15 min ..as I am running my saved search every 15 min and taking data for last 15 min..but if I take last 24 hours data to compare then query becomes too slow..
does this issue can be resolved by ITSI? if yes then how can I resolved ?
If you run 2 saved searches, one every 24 hours that saves the comparison result into a summary index, then the second every 15 minutes and compare the results with the 24 hours saved summary index this should speed things up. I'm assuming you are doing both steps at the same time currently.
ITSI can be configured to handle this type of thing (deviations) for you as part of its framework.