Configure entity thresholds in ITSI

Use machine learning-assisted thresholding to receive threshold recommendations tailored to your entity data. Severity-level thresholds determine the current status of your KPI. When KPI values meet or exceed threshold conditions, the KPI status changes (for example, the value can change from High to Critical). You can detect and troubleshoot the root cause for anomalies in entity behavior by setting accurate entity thresholds, and monitor the behavior of single entities contributing to KPIs (for example, hosts or containers.).

The recommended policy will have adaptive thresholding turned on by default, which automatically re-evaluates and updates threshold values as the entity data changes over time. For more information about adaptive thresholding, see Create adaptive KPI thresholds in ITSI.

Prerequisites

  • Install Python for Scientific Computing version 3.0.0 or later in order to use this feature.
  • Because adaptive thresholding evaluates historic patterns in your data, ensure entities have established baselines of data points and show a pattern or trend over time.

Create entity thresholds with AI thresholding

Step 1: Configure threshold recommendation settings

  1. Select a service from the Service and KPI configuration page, and select the KPIs tab.
  2. Select the Entity thresholds tab, and select the AI thresholding button on the left side panel.
  3. Set the parameters for your thresholding algorithm in order to receive accurate threshold values:
    Setting Description
    Analysis window Sets time period over which threshold recommendations run, and is also used as the training window for adaptive thresholding. Selecting a larger window helps the algorithm detect weekly patterns, in addition to your daily patterns. We recommend selecting an analysis window that provides more data to analyze.

    Note: Note: The analysis window can't include days in the future, because no data has been generated yet for those days in the future.
    Threshold type Select the calculation which will be used to automatically adjust threshold values by analyzing historical KPI behavior. The selected threshold type generates threshold values that fit your data’s behavior.
    Thresholding directionSets whether the severities for the recommended threshold levels should increase below, above, or both relative to the baseline values of the KPI. You can allow AI to analyze your data and select the correct thresholding direction, or set this manually.
    Apply as Select how to apply the generated recommendations to your entities:
    • Splunk AI recommended: use the threshold recommendations generated by Splunk AI recommendations, which can be a combination of adaptive and static thresholds
    • Static thresholds: apply the same threshold values that were set as a default for your KPI thresholds
    Positive thresholds onlyThreshold levels should not map to negative KPI values. Select this to allow threshold levels to also include KPI values.
    Threshold sensitivity Sets tolerance for variations in data before a change is considered significant. Setting a higher sensitivity can generate more KPI alerts, because the KPI may fall outside of the configured threshold levels more frequently.
  4. (Optional) Set up advanced configuration options:
    Setting Description
    Onboard new entities Automatically sets up time policies for new entities you add to the service (time policies set up only after sufficient entity data is available).
    Get recommendations forSet whether you want to apply the recommended threshold settings to all entities, or only specific entities that you select.
  5. Select Next.

Step 2: Preview threshold recommendations

Splunk AI will recommend thresholds based on an analysis of your entity data behavior. View recommendations for up to ten entities that include sufficient data. You can then visualize your entity data, and view both the recommended thresholding type (static or adaptive thresholds), threshold levels, and recommended time policies for each entity.

After previewing your thresholds, select Next.

Step 3: Generate and preview recommendations

  1. A waiting period is required before you can view entity threshold recommendations. Select Save to begin analyzing your data and generating threshold recommendations.

Use custom threshold settings for entities

Instead of using AI thresholding to generate threshold values, define your own threshold values by selecting one of the following thresholding types:

  • Adaptive thresholding: dynamically adjusts thresholds based on historical data patterns and detects anomalies in fluctuating data
  • Time-variant static thresholding: specify different static values for KPIs at different times of the day and week
  • Static thresholding: specify set default values for KPIs

Alternatively, you can select a set threshold template to apply to your KPI threshold settings, and these threshold values will be automatically applied to your entity threshold settings.

Update entity threshold settings

The Entity thresholds tab displays details about the default threshold settings for entities contributing to your service's KPIs:

  • Threshold type: current settings applied to calculate entity threshold values. The default settings for entity thresholds always match the threshold type in KPI thresholds.
  • Prevent custom thresholds: turn toggle off if you want to set customized thresholds for one or more entities. Otherwise, default settings are applied to all entities.
  • Revert all to default settings: select to revert any custom threshold values back to the default threshold settings.

View threshold levels

Select the Threshold levels tab to view the values for each severity level. You can also copy the time policy settings for KPI thresholds and apply the settings globally for all entities on the threshold levels tab.

View per-entity threshold recommendations

Select the names of individual entities on the left side panel to view the AI threshold recommendation summary for each entity, as well as information about the threshold type and threshold level values.