Splunk IT Service Intelligence

Anomaly Detection Feature in Service for ITSI?

satyab
Observer

Hello ALL,
I would like to know is where are anomaly detection Information is stored in ITSI?, I mean any specific Index bucket? or is that a Black Box for us?.I know it is going into "Episode review" but that will not help me . I need to pro grammatically get this information just like I get KPI score from ITSI-Summary. As I need to stop my system alerting when it detects Anomaly.

Secondly, where can I find detailed information about how it is detecting Anomaly?As, I was wondering is there an option to change any setting?

Thanks
Satya

Labels (2)
0 Karma

esnyder_splunk
Splunk Employee
Splunk Employee

Configuration:
- KPI object in the service object
- A collection in SA-ITSI-MetricAD
- Savedsearches.conf in SA-ITSI-MetricAD

Computational Middle Work:
- there is an index for it called anomaly or something defined in SA-ITSI-MetricAD

Final resultant Anomaly:
- it's a notable event like any other, so tracked alerts index and then the episodes index

0 Karma

skoelpin
SplunkTrust
SplunkTrust

Are you using cohesive AD or trending AD? This is stored in the kv-store. You can configure this in the mad.conf settings within the SA-ITSI-MetricAD app.

What exactly are you looking for?

0 Karma

satyab
Observer

Thanks for your time.

Im using Trending AD. what I need is . If you use the feature it shows RED points on graph to indicate its a anomaly. How can I get complete information using Splunk Query ? I cant manually get to any file to review the information.

for example I have a KPI and I want to know whats its Health score. then I can use index=ITSI_Summary and kpi name to get the score value . by running a query, I need similar setup.

Like I said I need to avoid certain steps in a process when model detects anomaly.

Thanks Satya

0 Karma

skoelpin
SplunkTrust
SplunkTrust

This is a limitation of the product. As far as I know, it does NOT write the anomalous behavior to the itsi_summary index. I've been a big advocate for doing adaptive thresholding on a per entity basis which WOULD write to the itsi summary index as it does with the aggregate values. I've also built my own in-house solution of this which works on thousands of entities per KPI. It's much faster than the current AT with a lighter footprint. So my suggestion is to wait for it to become available and keep asking the product team for it

0 Karma

satyab
Observer

Thanks you. Sure will do.

0 Karma

esnyder_splunk
Splunk Employee
Splunk Employee

Hi Satya, this documentation might help to answer your second question: https://docs.splunk.com/Documentation/ITSI/latest/Configure/Enableanomalydetection

0 Karma

satyab
Observer

Thanks this is general setup document. thats it what I am looking for.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...