Configure entity thresholds in ITSI

Use machine learning-assisted thresholding to receive threshold recommendations tailored to your entity data, in order to capture and monitor the behavior of the single entities linked to KPIs (for example, hosts or containers.). Detect and troubleshoot the root cause for anomalies in entity behavior by setting entity thresholds.

The recommended policy will have adaptive thresholding turned on by default, which automatically re-evaluates and updates threshold values as the entity data changes over time. For more information about adaptive thresholding, see Create adaptive KPI thresholds in ITSI.

Prerequisites

• Install [Python for Scientific Computing] version 3.0.0 or later in order to use this feature.
• Your entities need at least 14 days of backfilled data, or display a historical pattern or trend in order to produce entity recommendations. For more information, see When to use adaptive thresholds.

Generate threshold recommendations

Step 1: Configure threshold recommendation settings

1. Select a service from the Services page, and select the Thresholding tab.
2. From the Entity recommendation settings section, select Get recommendations.
3. Choose your preferred settings for generating threshold recommendations:

   Setting	Description
   Thresholding direction	Sets whether the severities for the recommended threshold levels should increase below, above, or both relative to the baseline values of the KPI. You can allow machine learning to analyze your data and select the correct thresholding direction, or set this manually.
   Analysis window	Sets time period over which threshold recommendations run, and is also used as the training window for adaptive thresholding. Selecting 30 days or more (14 days at minimum) helps the algorithm detect weekly patterns, in addition to your daily patterns. Selecting 7 days of data will help the algorithm detect daily patterns in KPI data. We recommend selecting an analysis window that provides more data to analyze. Note: The analysis window can't include days in the future, because no data has been generated yet for those days in the future.
   Apply as	Select how to apply the generated recommendations to your entities: Splunk AI recommendations: use the threshold recommendations generated by Splunk AI, which can be a combination of adaptive and static thresholds Static thresholds: apply the threshold values you set
   Allow negative values	Threshold levels should not map to negative KPI values. Select this to allow threshold levels to also include KPI values.
   Threshold sensitivity	Determines when a KPI falls outside of threshold levels. Setting a higher sensitivity can generate more KPI alerts, because the KPI may fall outside of the configured threshold levels more frequently.

4. (Optional) Set up advanced configuration options:

   Setting	Description
   Dynamic recalibration	Turns on a job that continuously monitors and updates your time policies to match the entity's latest data patterns.
   Onboard new entities	Automatically sets up time policies for new entities you add to the service (time policies set up only after sufficient entity data is available).

5. Select Next.

Step 2: Preview threshold recommendations

Splunk AI will recommend thresholds based on an analysis of your entity data behavior. Recommendations will run for the top ten entities that include sufficient data. You can then visualize your entity data, and view both the recommended thresholding type (static or adaptive thresholds), and recommended time policies for each entity.

After previewing your thresholds, select Next.

Step 3: Generate and review recommendations

1. A waiting period is required before you can view entity threshold recommendations (generally requires 4-8 hours to analyze your data and produce recommendations). Select Confirm to acknowledge this waiting period.

Select Save to begin analyzing your data and generating threshold recommendations. View the recommendations for each entity listed in the Entity thresholds section.