Application Data Storage

Anomaly Detective creates and stores information when running Anomaly Searches.

  • Results: the results of the analysis (Splunk index)
  • State: the mathematical model (KV store)
  • Quantiles: used for dynamically normalizing the results which allows alerting (KV store)

The model state and quantiles are used internally by Anomaly Detective during the analysis and when outputting the results. The results are stored in an index called prelertresults which makes them available for search.

Splunk Enterprise 6.2 introduced a Key-Value JSON document store based on MongoDB. The KV store supports update operations and has excellent performance making it an ideal place to save model state and quantiles. Anomaly Detective requires that the KV store is enabled in Splunk.

KV management dashboard

Splunk provides a useful KV management dashboard. From the top header Splunk menu, navigate to:

  1. Click on Settings / Distributed Management Console
  2. Click on KV Store / KV Store: Instance
  3. Prelert objects will be listed in the main table where App is prelert, collections are prelertstate and prelertquantiles.

Results index

To check results stored by Prelert, run the following. Please note that metadata may not be accurate if you have recently reset or deleted Anomaly Search results.

| metadata type=sources index=prelertresults

This page

Browse

You are here