Splunk ITSI

Force to run adaptive thresholding update in ITSI on all services


When I select adaptive thresholding in Service Definition, it mentions
"Adaptive Thresholding runs everyday around midnight and updates the thresholding for the KPI based on the settings below. Once updated, old thresholds cannot be recovered."
but it is not updating anything. After month I had to open every single service and manually had to Apply Adaptive Thresholding to get it updated.

How do I run this using scheduled search instead of opening every single KPI out of 500+ applying manually ?


Hi All! Any update on this issue? I'm having the same problem with Splunk ITSI 4.9.2 on Cloud. Just opened a case with the Support.


Marco Scala

0 Karma

Path Finder

@skoelpin Thanks for the response. I didn't mean we were looking for adaptive thresholding on the entities. What I meant was that the adapting thresholding that is turned on in the threshold template does not appear to be creating unique thresholds adaptations for each of the services (which use service templates). It seems like it is creating a set of thresholds once a day for some large data set then applying that to all services that have the threshold template attached. That doesn't seem right to me. What am I missing?


0 Karma

Path Finder

Have there been any updates to this issue?

We too have services synced to Service Templates and thresholding linked to a Threshold template that employs adaptive thresholding. I would have thought that the adaptive thresholding would be applied to each service by learning the trend on the entities filtered in to that service (and not have to manually set each service threshold) but it does not appear to be working that way.

When using a Service Template and Threshold Templates with adaptive thresholding, what is used for training and does it uniquely apply to each service employing those templates?

0 Karma


Adaptive thresholding will NOT work on a per entity basis. It only works on the aggregate value

There is a workaround, but it involves building a custom anomaly detection system in core Splunk to cook your entity data than passing it to ITSI.

0 Karma

Path Finder

@skoelpin Thanks for the response. I didn't mean individual thresholds for each entity, I meant for the service aggregate, is there a different set of thresholds that get generated per service.

We have services using templates (both service and threshold templates). It seems that the threshold template is generating some thresholds based on something (not sure what) and applying that to all services. I would have thought that each service for which the template was applied would get a different adaptive threshold set applied to it.

What am I missing?


0 Karma


Adaptive thresholding is applied on a per KPI basis. You're wanting to do adaptive thresholding on the service level? You could sum the KPI's aggregate severities to get the service severity

0 Karma

Path Finder

We are running ITSI 3.1.4. Look like we are running into the same problem.
160 services are synced with the same service template. I have a response time KPI I want to edit the threshold template for. Static template are no problem syncing. But I want to use one of my adaptive template. Seems to me that I manually need to “apply adaptive threshold” for every Service. I haven't tried to wait over night, and will try that. But there shuld be a way to force update.

0 Karma


I have a support case in for this very issue. Will let you know if I get a response that gets this working properly.


Any updates on the support case ? I m seeing the similar issue in our ITSi environment. After changing threshold levels in time policies, the new values doesn't kick in automatically. I have to go to each KPI and click on "apply adaptive Threshold" after each modification.


0 Karma


What version of ITSI are you running and how have you validated that they are not updating?

0 Karma


ITSI 3.0.0 on Splunk 7.0.4
I have validated that, by observing for 30 days. KPI always in RED.
When I updated manually it did immediatelly fit into the thresholds correctly turning green

0 Karma


How are your thresholds set? How many time policies do you have?

Have you looked at the time policies Preview window to determine how they look? Perhaps your values are trending much lower than they have historically? Have you had major outliers in the past which are making them look low now?

0 Karma

Path Finder



have you had any response to your support case?

We have run into exactly the same issue, AT bands get recalculated every night but do not kick in until you explicitly go in each service and go click 'apply adaptive' thresholding and 'save'.

this results in kpi being in the wrong band, impact service health score and basically rendering the service tree into an non reality-reflecting state

Tags (2)
0 Karma
Get Updates on the Splunk Community!

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL  The Splunk AI Assistant for SPL ...

Buttercup Games: Further Dashboarding Techniques (Part 5)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...

Customers Increasingly Choose Splunk for Observability

For the second year in a row, Splunk was recognized as a Leader in the 2024 Gartner® Magic Quadrant™ for ...