Splunk IT Service Intelligence

Understanding ITSI Adaptive Thresholds


I am having more difficulty with the conceptualization of the theory behind the different adaptive threshold algorithms. To be specific, between the Quantile and Range.

I wonder if I could present my understanding to you here and you correct me if Im wrong and offer me a bit of insight on how to differentiate the two more meaningfully.
It is stated in https://www.splunk.com/blog/2018/01/16/ensuring-success-with-itsi-threshold-and-alert-configurations...
That Quantile is an algorithm that allows you to put threshold bounds at various percentiles based on historic data.
It also lists the example of choosing critical severity for data points falling below the 1st percentile (0.01) and above the 99thpercentile (0.99).
The Range is defined as looking in the min and max data points from the historic data and the span between those values. It defines an example as being a value of 0 will set a threshold to the historic data min and 1 will set it to the historic data max (and in theory, anything between those will be within the range of the min and max proportionally)
Both of them operate on the historic data. Quantile takes the percentage of the historic data values. Range uses the min and max of the historic data values. These two operations seem to be doing the same thing.
The only thing I can think of is since we can use Time Policies on specific time slots of a day for a threshold policy, we could in fact define a quantile threshold for say between 9 am – 12 pm. It would look at all the historic data for ONLY that time period and the 1.0 of that would be the max value for that time period, instead of the max value for the ENTIRE historical data set as it would be in range. But then, what is the point in defining time policies and using the range algorithm if it always uses the min and max data points for the entire data set?

0 Karma

Splunk Employee
Splunk Employee

Hi Eric, the different algorithms used for adaptive thresholding, including Quantile and Range, are also described here: https://docs.splunk.com/Documentation/ITSI/latest/Configure/TimePolicies#Available_KPI_threshold_tem...

Hopefully that helps a little.

Splunk Employee
Splunk Employee

Just like quantile, range and stddev also limit the values used to compute the thresholds, to ONLY the data points that fall within the specified time policy. I'd have to go back and re-read my blog on that section... from your perspective was I ambiguous or did I misstate that?

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In the last month, the Splunk Threat Research Team (STRT) has had 1 release of new security content via the ...

There's No Place Like Chrome and the Splunk Platform

Watch On DemandMalware. Risky Extensions. Data Exfiltration. End-users are increasingly reliant on browsers to ...

The Great Resilience Quest: 5th Leaderboard Update

The fifth leaderboard update for The Great Resilience Quest is out >> 🏆 Check out the ...