Splunk IT Service Intelligence

ITSI Threshold based on trend

nzambo_splunk
Splunk Employee
Splunk Employee

I'd like to set a threshold in ITSI based on how a KPI is trending. In this case, count of events trending towards 75,000 events per hour. So let's say it's 15 minutes past the hour and we're at 20,000 events, and the trend is upwards to the point where we'd be over 75,000 events this hour, I'd like to have my KPI turn orange instead of green.

I assume the threshold indicator could look at the trend, but I think I'd need the hourly projected count and not just the current trend.

Does this seem plausible or possible? Is there a more elegant way to accomplish this?

Thanks

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Given that you've said your data is pretty evenly distributed, I'd just count over the last 60 minutes and call it a day, KISS and all that.

0 Karma

appache
Path Finder

In your case you could use adaptive threshold option in services OR you could set up custom threshold values and set the importance to it so that KPI and service analyzer will show up the colors you want.

0 Karma

nzambo_splunk
Splunk Employee
Splunk Employee

Sorry, this doesn't really help. I'm not sure how adaptive thresholding is beneficial here since all I'm looking for is what the likely event count would be an hour from now if the current trend holds. I'm exploring the options above to see if we can predict the event count and use that to color code our KPIs. I appreciate the answer and would be open to exploring the option more, I just don't understand your meaning.

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Ignoring ITSI for a second, you could extrapolate or predict your KPI in the search itself to reflect a full hour, or you could run over a floating hour.
I'm not quite sure what your data is and how it ebbs and flows, so I don't know what approach fits your case best without more info.

0 Karma

nzambo_splunk
Splunk Employee
Splunk Employee

Yes this makes sense. Thinking through this, would you suggest looking at a timechart and using predict with future_timespan to get to this conclusion? It seems like we could span out the timechart over 10 or 15 minutes and predict 3-4 time spans into the future to get a field appropriate to use as a KPI.

The data doesn't come in waves, rather more of a relatively flat line so time based adaptive thresholding is less relevant here I think.

0 Karma

sundareshr
Legend

I think for what you want to accomplish, trendline would be a better option. Something like this

...earliest=-1h@h  | timechart span=5m count | trendline sma3(count) as sma_count | where count>sma_count*1.5
0 Karma

nzambo_splunk
Splunk Employee
Splunk Employee

Curious why trendline > predict in this case?

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...