Splunk IT Service Intelligence

Anomaly Detection Feature in Service for ITSI?

satyab
Observer

Hello ALL,
I would like to know is where are anomaly detection Information is stored in ITSI?, I mean any specific Index bucket? or is that a Black Box for us?.I know it is going into "Episode review" but that will not help me . I need to pro grammatically get this information just like I get KPI score from ITSI-Summary. As I need to stop my system alerting when it detects Anomaly.

Secondly, where can I find detailed information about how it is detecting Anomaly?As, I was wondering is there an option to change any setting?

Thanks
Satya

Labels (2)
0 Karma

esnyder_splunk
Splunk Employee
Splunk Employee

Configuration:
- KPI object in the service object
- A collection in SA-ITSI-MetricAD
- Savedsearches.conf in SA-ITSI-MetricAD

Computational Middle Work:
- there is an index for it called anomaly or something defined in SA-ITSI-MetricAD

Final resultant Anomaly:
- it's a notable event like any other, so tracked alerts index and then the episodes index

0 Karma

skoelpin
SplunkTrust
SplunkTrust

Are you using cohesive AD or trending AD? This is stored in the kv-store. You can configure this in the mad.conf settings within the SA-ITSI-MetricAD app.

What exactly are you looking for?

0 Karma

satyab
Observer

Thanks for your time.

Im using Trending AD. what I need is . If you use the feature it shows RED points on graph to indicate its a anomaly. How can I get complete information using Splunk Query ? I cant manually get to any file to review the information.

for example I have a KPI and I want to know whats its Health score. then I can use index=ITSI_Summary and kpi name to get the score value . by running a query, I need similar setup.

Like I said I need to avoid certain steps in a process when model detects anomaly.

Thanks Satya

0 Karma

skoelpin
SplunkTrust
SplunkTrust

This is a limitation of the product. As far as I know, it does NOT write the anomalous behavior to the itsi_summary index. I've been a big advocate for doing adaptive thresholding on a per entity basis which WOULD write to the itsi summary index as it does with the aggregate values. I've also built my own in-house solution of this which works on thousands of entities per KPI. It's much faster than the current AT with a lighter footprint. So my suggestion is to wait for it to become available and keep asking the product team for it

0 Karma

satyab
Observer

Thanks you. Sure will do.

0 Karma

esnyder_splunk
Splunk Employee
Splunk Employee

Hi Satya, this documentation might help to answer your second question: https://docs.splunk.com/Documentation/ITSI/latest/Configure/Enableanomalydetection

0 Karma

satyab
Observer

Thanks this is general setup document. thats it what I am looking for.

0 Karma
Get Updates on the Splunk Community!

Set Up More Secure Configurations in Splunk Enterprise With Config Assist

This blog post is part 3 of 4 of a series on Splunk Assist. Click the links below to see the other ...

Observability Highlights | November 2022 Newsletter

 November 2022Observability CloudEnd Of Support Extension for SignalFx Smart AgentSplunk is extending the End ...

Enterprise Security Content Update (ESCU) v3.54.0

The Splunk Threat Research Team (STRT) recently released Enterprise Security Content Update (ESCU) v3.54.0 and ...