Splunk IT Service Intelligence

Anomaly Detection Feature in Service for ITSI?

Observer

Hello ALL,
I would like to know is where are anomaly detection Information is stored in ITSI?, I mean any specific Index bucket? or is that a Black Box for us?.I know it is going into "Episode review" but that will not help me . I need to pro grammatically get this information just like I get KPI score from ITSI-Summary. As I need to stop my system alerting when it detects Anomaly.

Secondly, where can I find detailed information about how it is detecting Anomaly?As, I was wondering is there an option to change any setting?

Thanks
Satya

Labels (2)
0 Karma

Splunk Employee
Splunk Employee

Configuration:
- KPI object in the service object
- A collection in SA-ITSI-MetricAD
- Savedsearches.conf in SA-ITSI-MetricAD

Computational Middle Work:
- there is an index for it called anomaly or something defined in SA-ITSI-MetricAD

Final resultant Anomaly:
- it's a notable event like any other, so tracked alerts index and then the episodes index

0 Karma

SplunkTrust
SplunkTrust

Are you using cohesive AD or trending AD? This is stored in the kv-store. You can configure this in the mad.conf settings within the SA-ITSI-MetricAD app.

What exactly are you looking for?

0 Karma

Observer

Thanks for your time.

Im using Trending AD. what I need is . If you use the feature it shows RED points on graph to indicate its a anomaly. How can I get complete information using Splunk Query ? I cant manually get to any file to review the information.

for example I have a KPI and I want to know whats its Health score. then I can use index=ITSI_Summary and kpi name to get the score value . by running a query, I need similar setup.

Like I said I need to avoid certain steps in a process when model detects anomaly.

Thanks Satya

0 Karma

SplunkTrust
SplunkTrust

This is a limitation of the product. As far as I know, it does NOT write the anomalous behavior to the itsi_summary index. I've been a big advocate for doing adaptive thresholding on a per entity basis which WOULD write to the itsi summary index as it does with the aggregate values. I've also built my own in-house solution of this which works on thousands of entities per KPI. It's much faster than the current AT with a lighter footprint. So my suggestion is to wait for it to become available and keep asking the product team for it

0 Karma

Observer

Thanks you. Sure will do.

0 Karma

Splunk Employee
Splunk Employee

Hi Satya, this documentation might help to answer your second question: https://docs.splunk.com/Documentation/ITSI/latest/Configure/Enableanomalydetection

0 Karma

Observer

Thanks this is general setup document. thats it what I am looking for.

0 Karma