Splunk IT Service Intelligence
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Anomaly Detection Feature in Service for ITSI?

satyab
Observer
‎01-30-2020 03:01 AM

Hello ALL,
I would like to know is where are anomaly detection Information is stored in ITSI?, I mean any specific Index bucket? or is that a Black Box for us?.I know it is going into "Episode review" but that will not help me . I need to pro grammatically get this information just like I get KPI score from ITSI-Summary. As I need to stop my system alerting when it detects Anomaly.

Secondly, where can I find detailed information about how it is detecting Anomaly?As, I was wondering is there an option to change any setting?

Thanks
Satya

Labels (2)
Labels
0 Karma
Reply

esnyder_splunk
Splunk Employee
Splunk Employee
‎02-05-2020 04:12 PM

Configuration:
- KPI object in the service object
- A collection in SA-ITSI-MetricAD
- Savedsearches.conf in SA-ITSI-MetricAD

Computational Middle Work:
- there is an index for it called anomaly or something defined in SA-ITSI-MetricAD

Final resultant Anomaly:
- it's a notable event like any other, so tracked alerts index and then the episodes index

0 Karma
Reply

skoelpin
SplunkTrust
SplunkTrust
‎01-30-2020 11:25 AM

Are you using cohesive AD or trending AD? This is stored in the kv-store. You can configure this in the mad.conf settings within the SA-ITSI-MetricAD app.

What exactly are you looking for?

0 Karma
Reply

satyab
Observer
‎02-04-2020 01:19 AM

Thanks for your time.

Im using Trending AD. what I need is . If you use the feature it shows RED points on graph to indicate its a anomaly. How can I get complete information using Splunk Query ? I cant manually get to any file to review the information.

for example I have a KPI and I want to know whats its Health score. then I can use index=ITSI_Summary and kpi name to get the score value . by running a query, I need similar setup.

Like I said I need to avoid certain steps in a process when model detects anomaly.

Thanks Satya

0 Karma
Reply

skoelpin
SplunkTrust
SplunkTrust
‎02-04-2020 09:58 AM

This is a limitation of the product. As far as I know, it does NOT write the anomalous behavior to the itsi_summary index. I've been a big advocate for doing adaptive thresholding on a per entity basis which WOULD write to the itsi summary index as it does with the aggregate values. I've also built my own in-house solution of this which works on thousands of entities per KPI. It's much faster than the current AT with a lighter footprint. So my suggestion is to wait for it to become available and keep asking the product team for it

0 Karma
Reply

satyab
Observer
‎02-06-2020 01:37 AM

Thanks you. Sure will do.

0 Karma
Reply

esnyder_splunk
Splunk Employee
Splunk Employee
‎01-30-2020 10:54 AM

Hi Satya, this documentation might help to answer your second question: https://docs.splunk.com/Documentation/ITSI/latest/Configure/Enableanomalydetection

0 Karma
Reply

satyab
Observer
‎02-04-2020 01:20 AM

Thanks this is general setup document. thats it what I am looking for.

0 Karma
Reply
Get Updates on the Splunk Community!

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...