Administering Prelert Configuration

Configuration files used

Splunk configuration is spread over many configuration files. Anomaly Detective introduces some additional configuration files that adhere to the same format and principles as the Splunk configuration files:

  • prelertapp.conf
  • prelertautoinsight.conf
  • prelertfields.conf
  • prelertlimits.conf
  • prelertmodel.conf
  • prelertrealtime.conf

Anomaly Detective is built using a mixture of Splunk functionality and additional Prelert functionality. As a result, some elements of Anomaly Detective configuration are split over multiple configuration files, some Splunk, some Prelert:

  • An Anomaly Search Configuration consists of entries in savedsearches.conf, prelertrealtime.conf and prelertfields.conf (plus, during LookBack only, inputs.conf)
  • An Insight Monitor Configuration consists of entries in savedsearches.conf and prelertautoinsight.conf (plus, during LookBack only, inputs.conf)

Administration of Prelert configurations

Anomaly Detective provides a UI for administering anomaly searches and insight monitors. Using the Anomaly Detective UI for such configuration ensures that all required configuration files are updated in a consistent way.

Splunk also provides a UI for managing many of its configuration files, including savedsearches.conf and inputs.conf. There is nothing to stop you using this Splunk UI to alter the parts of the Prelert configuration that use this Splunk functionality. However, if you do this you may end up in a situation where the overall Prelert configuration is inconsistent and some of your anomaly searches or insight monitors do not work correctly. The only ways to recover from configuration inconsistency are:

  • Use the Splunk UI to revert whatever changes you made to parts of Prelert configurations
  • Manually edit configuration files and restart Splunk
  • Use the Anomaly Detective UI to delete the inconsistent anomaly or insight monitor

For these reasons, the only supported way to modify anomaly searches and insight monitors is to use the Anomaly Detective UI.

This page


You are here