Breaking Through the Threshold: Leveling up ITSI Adaptive Thresholding with Splunk AI

Adaptive thresholding is a key capability in Splunk IT Service Intelligence (ITSI) that enables customers to dynamically monitor the status of their key performance indicators (KPIs) and derive meaningful service insights and alerts. The latest release of ITSI, Version 4.17, includes a preview of ML-Assisted Thresholding, a machine learning-powered feature that recommends the optimal adaptive threshold configurations for KPIs so customers can effectively configure thresholds in seconds and offload all manual data analysis with the help of Splunk’s built-in machine learning (ML). With ML-Assisted Thresholding, ITSI users can get up and running faster when configuring services and KPIs, and free up time for work (or fun) beyond the iterative exercise of thresholding.

What is Adaptive Thresholding?

Adaptive Thresholding analyzes your historic KPI data to baseline behavior and recalibrates threshold values daily based on new data, in contrast to static thresholding which expects the user to know and define the fixed thresholds.

For example, what is expected to be normal CPU utilization for two systems can be widely different. Static thresholding requires users to identify, set, and update the constant values on their own, whereas Adaptive Thresholding automatically updates the thresholds for each individual system based on commonly supplied parameters, saving the user significant amounts of time. Additionally, Adaptive Thresholding can automatically adapt thresholds to changing scenarios, such as seasonal patterns caused by varying user behavior and workloads. This helps improve the accuracy of KPI and service severities and reduces alert fatigue by reducing the number of false positives. By limiting the administrative overhead required for multiple similar KPIs, Adaptive Thresholding provides a more scalable approach to threshold configuration and management.

Configuring adaptive thresholds in ITSI today relies on three key dimensions of inputs: 

1. Time policies & training window to capture seasonality
2. Policy type to determine the threshold calculation method
3. Severity levels that supply the reference values used to update thresholds daily

Determining the optimal combination of these inputs can set you on the path to proactive monitoring of your KPIs. 

However, at this point you’re probably wondering, how do I come up with the optimal combination of these to begin with? What if I don’t know where to start?

In complex environments, configuring these threshold parameters can be subjective, involve human analysis of historical data, and sometimes require fine-tuning. Not to worry, exciting things are coming your way. Adaptive Thresholding is about to get even better. 

Introducing ML-Assisted Thresholding Powered by Splunk AI

ML-Assisted Thresholding drastically simplifies the process of configuring thresholds down to seconds. In this preview feature, we use machine learning to recommend the optimal time-policies and threshold/severity levels for your data for the standard deviation algorithm, thus enabling you to effortlessly baseline and accurately monitor KPIs in ITSI. The state-of-the-art machine learning algorithms work by identifying underlying seasonality and patterns in your data to curate optimized configurations tailored to each individual KPI, freeing you of the manual work involving visual analysis and estimations.

Assisted Thresholding helps you derive insights into the health of your IT and business services faster, and the best part is - without taking any of the current flexibility away. Once the ML-powered feature recommends the best configurations for your KPI, you can either apply the recommendations directly or continue to tune the thresholds as desired. 

To further smoothen this process, the suggested configurations are accompanied with a plain-text summary and confidence levels to help understand what the algorithm captured and how confidently.

Ready To Get Started, You Say? 

Assisted Thresholding is now available in private preview as a part of ITSI 4.17.0 and open to all Splunk ITSI customers curious to test it out and share feedback to help us make the experience even better. Click here for more information on signing up. If we’ve gotten you at least a little excited, also be sure to take a deeper-dive and learn more about how we developed this capability in our technical blog post. 

This blog was co-authored by Poonam Yadav. Special thanks to the Splunk AI team for their commitment to delivering continuous innovation.