Splunk ITSI
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

ITSI Threshold based on trend

nzambo_splunk
Splunk Employee
Splunk Employee
‎09-09-2016 08:00 PM

I'd like to set a threshold in ITSI based on how a KPI is trending. In this case, count of events trending towards 75,000 events per hour. So let's say it's 15 minutes past the hour and we're at 20,000 events, and the trend is upwards to the point where we'd be over 75,000 events this hour, I'd like to have my KPI turn orange instead of green.

I assume the threshold indicator could look at the trend, but I think I'd need the hourly projected count and not just the current trend.

Does this seem plausible or possible? Is there a more elegant way to accomplish this?

Thanks

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎09-15-2016 02:39 PM

Given that you've said your data is pretty evenly distributed, I'd just count over the last 60 minutes and call it a day, KISS and all that.

0 Karma
Reply

appache
Path Finder
‎09-13-2016 07:50 AM

In your case you could use adaptive threshold option in services OR you could set up custom threshold values and set the importance to it so that KPI and service analyzer will show up the colors you want.

0 Karma
Reply

nzambo_splunk
Splunk Employee
Splunk Employee
‎09-15-2016 01:34 PM

Sorry, this doesn't really help. I'm not sure how adaptive thresholding is beneficial here since all I'm looking for is what the likely event count would be an hour from now if the current trend holds. I'm exploring the options above to see if we can predict the event count and use that to color code our KPIs. I appreciate the answer and would be open to exploring the option more, I just don't understand your meaning.

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎09-10-2016 10:40 AM

Ignoring ITSI for a second, you could extrapolate or predict your KPI in the search itself to reflect a full hour, or you could run over a floating hour.
I'm not quite sure what your data is and how it ebbs and flows, so I don't know what approach fits your case best without more info.

0 Karma
Reply

nzambo_splunk
Splunk Employee
Splunk Employee
‎09-13-2016 06:15 AM

Yes this makes sense. Thinking through this, would you suggest looking at a timechart and using predict with future_timespan to get to this conclusion? It seems like we could span out the timechart over 10 or 15 minutes and predict 3-4 time spans into the future to get a field appropriate to use as a KPI.

The data doesn't come in waves, rather more of a relatively flat line so time based adaptive thresholding is less relevant here I think.

0 Karma
Reply

sundareshr
Legend
‎09-13-2016 07:06 AM

I think for what you want to accomplish, trendline would be a better option. Something like this

...earliest=-1h@h  | timechart span=5m count | trendline sma3(count) as sma_count | where count>sma_count*1.5
0 Karma
Reply

nzambo_splunk
Splunk Employee
Splunk Employee
‎09-15-2016 01:30 PM

Curious why trendline > predict in this case?

0 Karma
Reply
Get Updates on the Splunk Community!

New Case Study Shows the Value of Partnering with Splunk Academic Alliance

The University of Nevada, Las Vegas (UNLV) is another premier research institution helping to shape the next ...

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...