SPLK-3002 Anomaly Detection

Anomaly Detection Detailed Explanation

1. Purpose of Anomaly Detection in ITSI

What Is Anomaly Detection?

Anomaly Detection is a method that allows ITSI to automatically learn what “normal” behavior looks like for a KPI—and then detect when something unusual (anomaly) happens.

Instead of relying on fixed thresholds, anomaly detection uses machine learning to spot:

• Unexpected spikes

• Unusual drops

• Irregular patterns

Why Use It?

Because not all problems are obvious or follow fixed patterns.

For example:

• Your app may normally have 500 users at 9 AM.

• If one day it suddenly jumps to 5,000, that could be a bug—or a cyberattack.

• Static thresholds may miss this or generate too many false alerts.

Anomaly Detection helps find subtle or unexpected changes before they become serious.

2. How Anomaly Detection Works

ITSI uses machine learning models to analyze historical KPI data and identify unusual behavior. Here’s how it works step by step:

Step 1: Learning Historical Behavior

• The system looks at past KPI values (for example, over 30 days).

• It builds a model of what the normal range of values looks like at different times.

Step 2: Real-Time Evaluation

• As new KPI data comes in, the system compares it to the expected pattern.

• If the value falls outside the normal range, it's flagged as an anomaly.

Step 3: Alerting and Visualization

• If the anomaly is severe enough, ITSI can:

  • Change the KPI’s status

  • Generate a Notable Event

  • Highlight the issue in a dashboard or Deep Dive

3. Key Configuration Options

To tune how anomaly detection works, ITSI offers several important settings:

a. Learning Window

• This defines how much historical data is used to train the model.

• Common values: 14 days, 30 days, 90 days

• More data = better model (but slower to learn)

b. Sensitivity

• Controls how aggressively the model flags deviations.

• Higher sensitivity = more anomalies detected, even small ones

• Lower sensitivity = fewer alerts, focuses on big changes

Best practice: Start with medium sensitivity and adjust based on results.

c. Retraining Frequency

• Determines how often ITSI updates the learning model.

• Can be daily, weekly, or on demand

• Important for systems that change behavior regularly (like seasonal traffic)

4. Use Cases for Anomaly Detection

a. Catching Subtle Issues Early

• Before KPIs cross fixed thresholds, a pattern change may occur.

• Anomaly Detection catches these early warning signs.

b. Reducing False Positives

• Static thresholds often generate alerts during normal fluctuations.

• Anomaly Detection understands “normal noise” and filters it out.

c. Monitoring Dynamic Environments

• In cloud or containerized environments, behavior changes often.

• It’s hard to set fixed thresholds—anomaly detection adapts automatically.

5. Limitations of Anomaly Detection

Although powerful, Anomaly Detection has its limits:

a. Requires Sufficient Historical Data

• If you only have 1 or 2 days of data, the model can’t learn normal behavior accurately.

• More data = more accurate anomaly detection.

b. Needs Tuning in Noisy Environments

• If your KPI is very noisy (frequent, unpredictable spikes), the model may flag too many false anomalies.

• You may need to:

  • Adjust the sensitivity

  • Use smoothing techniques

  • Combine with filters

c. Not a Replacement for Thresholds

• Anomaly detection is best used alongside static or dynamic thresholds, not instead of them.

• It adds another layer of intelligence, especially for unpredictable problems.

Summary: What to Remember About Anomaly Detection

• Anomaly Detection uses machine learning to identify unusual KPI behavior based on past trends.

• It helps detect issues earlier, especially in fast-changing or complex environments.

• You can configure its learning window, sensitivity, and retraining frequency.

• It’s a powerful complement to traditional thresholds—not a complete replacement.

Anomaly Detection (Additional Content)

1. What Is an Anomaly Score?

When anomaly detection is enabled for a KPI in ITSI, the platform calculates an "Anomaly Score" for each data point where the behavior deviates from the learned baseline.

Key Points:

• The Anomaly Score ranges from 0 to 100

  • Higher values indicate a greater deviation from expected behavior

• This score is machine-learned, based on historical data patterns

• It is not a threshold, but a confidence indicator of abnormality

Usage of Anomaly Score:

• KPI Status Color: A high score may shift a KPI’s color from green to yellow or red, depending on configuration

• Triggering Notable Events: The score can be referenced in alert rules or action conditions

• Trend Analysis: Allows operational teams to detect early deviations before thresholds are violated

Recommended exam-ready phrasing:
“ITSI calculates an Anomaly Score for each detected deviation, indicating how far the current value diverges from its learned norm. This score is used to change KPI state or generate alerts.”

2. Split-by Fields and Per-Entity Anomaly Detection

When a KPI uses split-by fields (e.g., host, region, or application_id), anomaly detection functions independently for each split.

How it works:

• ITSI builds a separate anomaly model for each unique entity

• Each entity receives its own learning baseline and anomaly score

• This enables fine-grained anomaly tracking on a per-host or per-service basis

Benefits:

• Helps detect localized issues affecting only a subset of the environment

• Reduces false positives from system-wide aggregation

• Enhances multi-tenant or distributed infrastructure monitoring

Recommended note:
When anomaly detection is used with split-by fields, each entity (e.g., host or region) receives a separate learning model, enabling entity-specific anomaly detection.

3. Model Retraining and Best Practices

The anomaly detection model in ITSI is continuously trained over time, but retraining can also be:

• Scheduled (e.g., weekly or monthly)

• Manually triggered when needed

Retraining Impacts:

• Updates the model with more recent behavior

• Replaces part of the old learning pattern, improving relevance

• Can temporarily reset anomaly sensitivity as the model re-learns

Best Practice – When to Retrain:

• After major changes in system traffic, application logic, or deployment patterns

• If anomaly detection no longer reflects current patterns

• During seasonal behavior shifts (e.g., holiday traffic peaks)

Recommendation for practical exams:
After major infrastructure or traffic changes, it is best practice to manually trigger a model retraining to realign baselines with new behaviors.

4. Visual Representation in Deep Dives

Deep Dives in ITSI are visual tools for incident investigation. When anomaly detection is enabled, results appear as:

a. Anomaly Bands

• Shaded areas that reflect expected normal behavior ranges

• The current KPI value is compared to this band

b. Outlier Dots

• Individual dots that indicate where KPI values diverged significantly

• These points correspond to anomalous scores, visually highlighted for RCA

Visualization Value:

• Helps operators quickly see if a KPI is outside its learned normal band

• Supports narrative-based RCA (root cause analysis)

• Aids in communicating anomalies to non-technical stakeholders during postmortems

Summary

• Anomaly detection uses machine learning to detect behavioral deviations

• Each anomaly receives an Anomaly Score (0–100) based on its severity

• With split-by fields, ITSI enables per-entity detection using isolated models

• Retraining ensures that models stay aligned with system behavior

• Deep Dive visualizations show anomaly insights as bands and dots, making diagnosis clearer and more accessible