Reporting

Dynamic Anomaly detection

ips_mandar
Builder

Hi,

I have Perf i.e. Performance data (OMS) where CounterName and CounterValues are present for different Computers
So I am running saved search every 15 min. to raise an alert and my criteria is
1. Any computer which shows consistent a specific counter value or range then it is baseline but if deviate for specific interval then should trigger an anomaly. E.g. computer A shows 86% for processor time so, Splunk should not report as anomaly as it is baseline for it but when deviate as shows 96% for next interval then only for that specific time it should report it.

How I can achieve this.

Tags (1)
0 Karma

ips_mandar
Builder

Thanks @msivill_splunk .
I have already used Machine learning toolkit.
I want to compare my query result with old data like last 24 hours data and result out anomaly for last 15 min ..as I am running my saved search every 15 min and taking data for last 15 min..but if I take last 24 hours data to compare then query becomes too slow..
does this issue can be resolved by ITSI? if yes then how can I resolved ?

0 Karma

msivill_splunk
Splunk Employee
Splunk Employee

If you run 2 saved searches, one every 24 hours that saves the comparison result into a summary index, then the second every 15 minutes and compare the results with the 24 hours saved summary index this should speed things up. I'm assuming you are doing both steps at the same time currently.

ITSI can be configured to handle this type of thing (deviations) for you as part of its framework.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...