I am having more difficulty with the conceptualization of the theory behind the different adaptive threshold algorithms. To be specific, between the Quantile and Range.
I wonder if I could present my understanding to you here and you correct me if Im wrong and offer me a bit of insight on how to differentiate the two more meaningfully.
It is stated in https://www.splunk.com/blog/2018/01/16/ensuring-success-with-itsi-threshold-and-alert-configurations...
That Quantile is an algorithm that allows you to put threshold bounds at various percentiles based on historic data.
It also lists the example of choosing critical severity for data points falling below the 1st percentile (0.01) and above the 99thpercentile (0.99).
The Range is defined as looking in the min and max data points from the historic data and the span between those values. It defines an example as being a value of 0 will set a threshold to the historic data min and 1 will set it to the historic data max (and in theory, anything between those will be within the range of the min and max proportionally)
Both of them operate on the historic data. Quantile takes the percentage of the historic data values. Range uses the min and max of the historic data values. These two operations seem to be doing the same thing.
The only thing I can think of is since we can use Time Policies on specific time slots of a day for a threshold policy, we could in fact define a quantile threshold for say between 9 am – 12 pm. It would look at all the historic data for ONLY that time period and the 1.0 of that would be the max value for that time period, instead of the max value for the ENTIRE historical data set as it would be in range. But then, what is the point in defining time policies and using the range algorithm if it always uses the min and max data points for the entire data set?
