Splunk IT Service Intelligence

Anomaly Detection Feature in Service for ITSI?

Observer

Hello ALL,
I would like to know is where are anomaly detection Information is stored in ITSI?, I mean any specific Index bucket? or is that a Black Box for us?.I know it is going into "Episode review" but that will not help me . I need to pro grammatically get this information just like I get KPI score from ITSI-Summary. As I need to stop my system alerting when it detects Anomaly.

Secondly, where can I find detailed information about how it is detecting Anomaly?As, I was wondering is there an option to change any setting?

Thanks
Satya

Labels (2)
0 Karma

Splunk Employee
Splunk Employee

Configuration:
- KPI object in the service object
- A collection in SA-ITSI-MetricAD
- Savedsearches.conf in SA-ITSI-MetricAD

Computational Middle Work:
- there is an index for it called anomaly or something defined in SA-ITSI-MetricAD

Final resultant Anomaly:
- it's a notable event like any other, so tracked alerts index and then the episodes index

0 Karma

SplunkTrust
SplunkTrust

Are you using cohesive AD or trending AD? This is stored in the kv-store. You can configure this in the mad.conf settings within the SA-ITSI-MetricAD app.

What exactly are you looking for?

0 Karma

Observer

Thanks for your time.

Im using Trending AD. what I need is . If you use the feature it shows RED points on graph to indicate its a anomaly. How can I get complete information using Splunk Query ? I cant manually get to any file to review the information.

for example I have a KPI and I want to know whats its Health score. then I can use index=ITSI_Summary and kpi name to get the score value . by running a query, I need similar setup.

Like I said I need to avoid certain steps in a process when model detects anomaly.

Thanks Satya

0 Karma

SplunkTrust
SplunkTrust

This is a limitation of the product. As far as I know, it does NOT write the anomalous behavior to the itsi_summary index. I've been a big advocate for doing adaptive thresholding on a per entity basis which WOULD write to the itsi summary index as it does with the aggregate values. I've also built my own in-house solution of this which works on thousands of entities per KPI. It's much faster than the current AT with a lighter footprint. So my suggestion is to wait for it to become available and keep asking the product team for it

0 Karma

Observer

Thanks you. Sure will do.

0 Karma

Splunk Employee
Splunk Employee

Hi Satya, this documentation might help to answer your second question: https://docs.splunk.com/Documentation/ITSI/latest/Configure/Enableanomalydetection

0 Karma

Observer

Thanks this is general setup document. thats it what I am looking for.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!