admingit
/
SH-Deployer
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '63dd9ca911'
${ noResults }
SH-Deployer/apps/SA-ITSI-ATAD/default/searchbnf.conf

67 lines
6.3 KiB
Raw Blame History

##################
# itsiad
##################
[itsiad-command]
syntax = itsiad (usekv) (fillna) (gofast) (trainingdays=<number>)
description = Computes an anomaly score (measure of surprise) for the alert_values after the training window or after the last scored time (for usekv mode). Anomaly scores range from 0 (unsurprising) to 1 (most surprising). The taint value indicates how many values in the training window were fabricated in accordance with the fillna flag. The gofast flag removes parameter optimization in favor of hard-coded values which makes the command go significantly faster. Must include _time, alert_value, and alert_period. For usekv mode, must also specify itsi_service_id and itsi_kpi_id. In interactive mode, note that the first 100 non-null alert_values after the training window will not be scored because those errors are needed to bootstrap the error digest. This number may be larger if missing values are in the training window and fillna is not specified, or if the prediction errors generated do not give the command sufficient information to generate scores (e.g., if all prediction errors are the same). If no score can be generated for a particular alert_value after the training window, we return anomaly_score=-1. Note that, after resampling, the exact _time and alert_values output by the command may differ from those in the input; any drilldown behavior should look for time windows rather than specific values from the input. The empty string '' is an invalid value for all fields.
shortdesc = Computes an anomaly score (measure of surprise) for the alert_values.
comment1 = An example using interactive mode with a 5-day training window (the 'table' command is optional):
example1 = | table _time alert_value alert_period itsi_service_id itsi_kpi_id | itsiad trainingdays=5 | table _time alert_value anomaly_score tainted itsi_service_id itsi_kpi_id
comment2 = An example using KV mode with missing values filled in:
example2 = | table _time alert_value alert_period itsi_service_id itsi_kpi_id | itsiad usekv fillna trainingdays=5 | table _time alert_value anomaly_score tainted itsi_service_id itsi_kpi_id
usage = public
tags = kpi anomaly detection anomalies
[itsiad-usekv-option]
syntax = usekv
description = When present, this flag makes the command use the KV store to acquire and store the last scored time and error digest.
[itsiad-fillna-option]
syntax = fillna
description = When present, this flag makes the command fill in missing values in the data using simple forward and backward filling. The taint field in the output indicates the number of values fabricated in this manner.
[itsiad-gofast-option]
syntax = gofast
description = When present, this flag makes the command go much faster by turning off parameter optimization.
[itsiad-trainingdays-option]
syntax = trainingdays=<number>
description = The integer number of days of KPI data to use for training.
##################
# itsiat
##################
[itsiat-command]
syntax = itsiat (nokv) (file=<filename containing kpi json object>) (usetempcollection) (collection=<string: name of the collection>) (key=<string: object key>)
description = Computes thresholds based on the input data and according to the schedules and policies specified in settings (in nokv mode) or found in the kv store (default). The data is partitioned according to which block of the schedule it corresponds to, then thresholds are computed for each block according to the rules in the associated policy. If any policies of any KPIs lack sufficient data to compute the thresholds as specified, the command will return no thresholds for that policy and will not update the corresponding thresholds. The _time field should be in UTC epoch time with the timezone specified in the KPI and that timezone should correspond with the timezone in which the time blocks are specified. No thresholds will be returned (or written to the KV store) for any KPIs for which an error was encountered; otherwise, the computed threhsolds will be output even if multiple thresholds have the same value. The command returns thresholds via stdout, and may additionally write them to the KV store if the appropriate arguments are passed. The empty string '' is an invalid value for all fields.
shortdesc = Computes adaptive thresholds for the given data and kpi information (which it uses to acquire schedules and policies from the kv store).
comment1 = An example using the command with the KV store (the 'table' command is optional):
example1 = | table _time alert_value itsi_service_id itsi_kpi_id | itsiat
comment2 = You can also pass a filename containing the kpi json directly to the command and receive the results as events (replace $SPLUNK_HOME with the correct path):
example2 = | table _time alert_value itsi_service_id itsi_kpi_id | itsiat nokv file=$SPLUNK_HOME/etc/apps/SA-ITSI-ATAD/bin/test/SHKPI.json
comment3 = You can use the command with a temporary collection in the KV store like this:
example3 = | table _time alert_value itsi_service_id itsi_kpi_id | itsiat usetempcollection collection=temp_kpi_collection key=857d4397893137141fb6c427
usage = public
tags = kpi adaptive thresholding dynamic thresholds schedule blocks policy
[itsiat-nokv-option]
syntax = nokv
description = When present, this flag makes the command use a file (specified in the settings argument) instead of the KV store to acquire the policies and schedules. The computed thresholds are returned as events.
[itsiat-file-option]
syntax = file=<filename containing KPI JSON object>
description = In interactive mode (pass the "nokv" flag), the "file" parameter takes a filename containing the plaintext JSON of a KPI object. This has the Time Block and Threshold Policy data structures under the 'time_variate_thresholds_specification' key, which, in KV mode, the command retrieves from the KV store. If the nokv flag is not present, this argument is ignored.
[itsiat-usetempcollection-option]
syntax = usetempcollection
description = When present, this flag makes the command use temporary collection in the KV store. The collection name and object key must both be provided. If the nokv flag is also present, the command throws an error.
[itsiat-collection-option]
syntax = collection=<string: temp collection name>
description = The name of the temporary collection to use.
[itsiat-key-option]
syntax = key=<string: temp object key>
description = The key to use for the object in the temporary collection.
Reference in new issue View Git Blame Copy Permalink