Reporting

Dynamic Anomaly detection

ips_mandar
Builder

Hi,

I have Perf i.e. Performance data (OMS) where CounterName and CounterValues are present for different Computers
So I am running saved search every 15 min. to raise an alert and my criteria is
1. Any computer which shows consistent a specific counter value or range then it is baseline but if deviate for specific interval then should trigger an anomaly. E.g. computer A shows 86% for processor time so, Splunk should not report as anomaly as it is baseline for it but when deviate as shows 96% for next interval then only for that specific time it should report it.

How I can achieve this.

Tags (1)
0 Karma

ips_mandar
Builder

Thanks @msivill_splunk .
I have already used Machine learning toolkit.
I want to compare my query result with old data like last 24 hours data and result out anomaly for last 15 min ..as I am running my saved search every 15 min and taking data for last 15 min..but if I take last 24 hours data to compare then query becomes too slow..
does this issue can be resolved by ITSI? if yes then how can I resolved ?

0 Karma

msivill_splunk
Splunk Employee
Splunk Employee

If you run 2 saved searches, one every 24 hours that saves the comparison result into a summary index, then the second every 15 minutes and compare the results with the 24 hours saved summary index this should speed things up. I'm assuming you are doing both steps at the same time currently.

ITSI can be configured to handle this type of thing (deviations) for you as part of its framework.

0 Karma
Get Updates on the Splunk Community!

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

For the past four years, Splunk has partnered with Enterprise Strategy Group to conduct a survey that gauges ...

Data-Driven Success: Splunk & Financial Services

Splunk streamlines the process of extracting insights from large volumes of data. In this fast-paced world, ...