Install and Configure Anomaly Detection

Anomaly Detection must be enabled after you install the Anomaly Detection Service. Enabling Anomaly Detection also enables Automated Root Cause Analysis.

Install the Anomaly Detection Services

To use Anomaly Detection, install the Anomaly Detection Services in your Kubernetes cluster.

Enable Anomaly Detection

You need to enable Anomaly Detection separately for each application.

In Alert & Respond > Anomaly Detection, select one of the following applications from the dropdown:
- Applications
- Databases
- User Experience: Browser Apps
- User Experience: Mobile Apps
Toggle Anomaly Detection ON.
After you enable Anomaly Detection, it takes 48 hours for Anomaly Detection and Automated Root Cause Analysis to become available. During that time, the machine learning models train on your application.

Select Model Training to view the training status for your application servers, business transactions, base pages, databases, and network requests as applicable.

The following table explains the training statuses:


Status	Meaning
In Training	Model training is in progress for the application server, business transaction, base page, database, or network request.
Ready	Model training is complete and the application server, business transaction, base page, database, or network request is healthy.
Warning	Model training is complete, but the application server, business transaction, base page, database, or network request has experienced one or more Warning level anomalies during the training period.
Critical	Model training is complete, but the application server, business transaction, base page, database, or network request has experienced one or more Critical level anomalies during the training period.
Not Available	Model training is incomplete and the application server, business transaction, base page, database, or network request is not visible to Anomaly Detection.

The models continue training as long as Anomaly Detection is enabled. For example, if traffic to a Business Transaction is interrupted for long enough duration preventing training that day, Anomaly Detection continues to function using the models from the previous seven days.

Note: No machine learning models are trained for Business Transactions that have very low calls per minute (CPM), because the sample size will be so small that the resulting model will be unreliable.

Monitor Anomalies

To view and monitor the anomalies for application servers, business transactions, base pages, databases, and network requests, select Alert & Respond > Anomaly Detection > Anomalies.

Alternatively, you monitor anomalies from the following pages:

Monitor Anomalies for Business Transactions

To view the anomalies related to business transactions:

From Applications > Business Transactions, select any Business Transaction of interest.
Click the Warning or Critical icon in the Health column.
A list of health rule violations and anomalies for the Business Transaction displays.
You can view the lists of anomalies in multiple ways. Monitoring anomalies can reflect how you work with Splunk AppDynamics. Choose any of these options to open a detailed view that includes the results of Automated Root Cause Analysis.
- If you set up and validate tools for a tools team: View the anomaly details from Alert & Respond > Anomaly Detection > Anomalies
- If you monitor applications for an application operations team:
  - From Applications > Events, filter Event Types to include anomalies.
  - From Applications > Troubleshoot > Violations & Anomalies, filter Event Types to include anomalies

Monitor Anomalies for Browser Applications

To view the anomalies related to browser applications:

From main menu, click User Experience > Browser Apps.
Select the desired browser application and click Details.
Do the following:
1. Click Violation & Anomalies to view all the anomalies associated with the selected browser application.
2. Click Events to view all the anomaly events.

Monitor Anomalies for Databases

To view the anomalies related to databases:

From main menu, click Databases.
Do the following:
1. Click Violation & Anomalies to view all the anomalies associated with the selected database.
2. Click Events to view all the anomaly events.

Monitor Anomalies for Mobile Applications

To view the anomalies related to mobile applications:

From main menu, click User Experience > Mobile Apps.
Select the desired mobile application and click Details.
Do the following:
1. Click Health Rule Violations to view all the anomalies associated with the selected browser application.
2. Click Events to view all the anomaly events.

Configure Anomaly Detection

By default, Anomaly Detection alerts you about the anomalies found in all the business transactions, base pages, and network requests in your application. However, you can configure Anomaly Detection to surface only those anomalies within the combination of business transactions, base pages, or network requests, severity level, and detection sensitivity that you specify. Do this if you prefer to see fewer and more narrowly focused alerts:

Click Configure Anomaly Detection to open the configuration dialog.
Select the desired component from the dropdown:
- Applications
- Databases
- User Experience: Browser Apps
- User Experience: Mobile Apps
Select one of the following entities based on the preceding step:
- For Business Transactions associated with the selected application:
  - All Business Transactions in the Application (this is the default selection)
  - Business Transactions within the specified Tiers
  - These specified Business Transactions
  - Business Transactions matching the following criteria:
    - Starts With
    - Ends With
    - Contains
    - Equals
    - Matches Regular Expression
    - Is in List
    - Is Not Empty
      
      Note: You can also select the NOT operator to reverse the criteria.
- For servers associated with the selected application:
  - All Servers (this is the default selection)
  - Specific Servers
  - All Servers of a Specific Tier
- For Base Pages associated with the selected application:
  - All Base Pages in the Application
  - These specified Base Pages
  - Base Pages matching the following criteria:
    - Starts With
    - Ends With
    - Contains
    - Equals
    - Matches Regular Expression
    - Is in List
    - Is Not Empty
      
      Note: You can also select the NOT operator to reverse the criteria.
- For Databases:
  - All Database or a specific database type such as Cassandra, Couchbase, and MongoDB
  - These specific databases
- For Network Requests associated with the selected application:
  - All Network Requests in the Application
  - These specified Network Requests
  - Network Requests of these specified mobile applications
  - Network Request matching the following criteria:
    - Starts With
    - Ends With
    - Contains
    - Equals
    - Matches Regular Expression
    - Is in List
    - Is Not Empty
      
      Note: You can also select the NOT operator to reverse the criteria.
Select one of the following severity levels:
- All Severities (includes both Warning and Critical)
- Critical
- Warning

In Detection Sensitivity, select one of the following levels:


Sensitivity Level	Description
High	Use this level for business-critical services to ensure that no issue gets undetected in your environment. It triggers more alerts but with lower statistical confidence.
Medium	Use this level for services that are important to your business but not critical. By default, this sensitivity level is selected.
Low	Use this level for services that have low business impact and to avoid too many alerts.

If you want to test anomaly detection in a non-production environment, select Yes, turn on test mode.

Note: The test mode allows you to assess anomaly detection capabilities in non-production environments. In this mode, the anomaly detection accurately detects any performance issues even if metric data collection is low. You can use the test mode in your development or staging environments.
Click Save to complete the configuration.

Documentation