Reporting

Dynamic Anomaly detection

ips_mandar
Builder

Hi,

I have Perf i.e. Performance data (OMS) where CounterName and CounterValues are present for different Computers
So I am running saved search every 15 min. to raise an alert and my criteria is
1. Any computer which shows consistent a specific counter value or range then it is baseline but if deviate for specific interval then should trigger an anomaly. E.g. computer A shows 86% for processor time so, Splunk should not report as anomaly as it is baseline for it but when deviate as shows 96% for next interval then only for that specific time it should report it.

How I can achieve this.

Tags (1)
0 Karma

ips_mandar
Builder

Thanks @msivill_splunk .
I have already used Machine learning toolkit.
I want to compare my query result with old data like last 24 hours data and result out anomaly for last 15 min ..as I am running my saved search every 15 min and taking data for last 15 min..but if I take last 24 hours data to compare then query becomes too slow..
does this issue can be resolved by ITSI? if yes then how can I resolved ?

0 Karma

msivill_splunk
Splunk Employee
Splunk Employee

If you run 2 saved searches, one every 24 hours that saves the comparison result into a summary index, then the second every 15 minutes and compare the results with the 24 hours saved summary index this should speed things up. I'm assuming you are doing both steps at the same time currently.

ITSI can be configured to handle this type of thing (deviations) for you as part of its framework.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...