Upgrade considerations from Anomaly Detective 3.x

Recommendations below are intended for customers upgrading from Anomaly Detective 3.x. Please contact support@prelert.com for assistance during this process.

Anomaly Detective 4.2 contains significant changes to data in anomaly results and the mathematical models. We now use the Splunk KV store for model state and quantiles, and the results have been re-architected for easier navigation and exploration. As such, it is not possible to migrate results, model state or quantiles from v3 to v4.

Real-Time Search configurations can be migrated across. Before enabling, these should be manually reviewed especially with respect to choice of Influencers.

We recommend installing v4 on a separate search head and running the two systems in parallel. If this is not possible, then steps to upgrade are listed below.

Steps

  1. Before upgrading the app, stop all Anomaly Searches (formerly Prelert Real-Time searches) that are running in Anomaly Detective 3.x
  2. Upgrade the Anomaly Detective app to version 4.x using the procedure documented here
  3. While Splunk is still running, clear any old Prelert KV store entries using the prelertclearkvstores.py script (see below)
  4. Shut down Splunk on the search head where configs are to be migrated (this can be done instead of the restart that is usually required when installing Anomaly Detective)
  5. While Splunk is not running, run the prelertmigratev3tov4.py and prelertmigratev4tov4.1.py scripts in that order to migrate v3 Real-Time search configuration to v4.1 Anomaly Searches (see below)
  6. Read through the messages printed to the console by the migration scripts - if any anomaly searches created from version 3.x QuickMode were too complex to be migrated automatically, migrate them manually
  7. Restart Splunk
  8. If you are running a search head cluster, manually copy the post-migration contents of the $SPLUNK_HOME/etc/apps/prelert/local directory from the search head you upgraded to each of the other search heads in the cluster
  9. Manually review the new settings using the Anomaly Search configuration page in the UI; particularly consider Influencers
  10. Decide how long to run lookbacks for each Anomaly Search
  11. Stagger starting the Anomaly Searches, especially lookbacks (best practice)

The script for clearing the Prelert KV store collections is a Python program that must be run in the Python that is shipped with Splunk. On Windows, run it from a command prompt (cmd.exe) as follows:

> cd "C:\Program Files\Splunk\etc\apps\prelert\bin"
> ..\..\..\..\bin\splunk.exe cmd python prelertclearkvstores.py

On other platforms, run the script for clearing the Prelert KV store collections from a shell prompt as follows:

> cd $SPLUNK_HOME/etc/apps/prelert/bin
> ../../../../bin/splunk cmd python prelertclearkvstores.py

The configuration migration scripts are also Python programs that must be run in the Python that is shipped with Splunk. On Windows, run them from a command prompt (cmd.exe) as follows:

> cd "C:\Program Files\Splunk\etc\apps\prelert\bin"
> ..\..\..\..\bin\splunk.exe cmd python prelertmigratev3tov4.py
> ..\..\..\..\bin\splunk.exe cmd python prelertmigratev4tov4.1.py

On other platforms, run the migration scripts from a shell prompt as follows:

> cd $SPLUNK_HOME/etc/apps/prelert/bin
> ../../../../bin/splunk cmd python prelertmigratev3tov4.py
> ../../../../bin/splunk cmd python prelertmigratev4tov4.1.py

Important

You must run the migration scripts in the correct order: first prelertmigratev3tov4.py and then prelertmigratev4tov4.1.py. Failure to do this will corrupt your configuration files.

Breaking changes

  • Existing alerts will no longer be able to read the new results format. Any existing alerts will need to be manually re-created.
  • Existing dashboards will no longer be able to read the new results format. Any existing or custom dashboards will require a manual upgrade.
  • Splunk on Splunk and Real-Time Summary Dashboards are no longer available. To view the results from these searches, please use the Anomaly Search Results Dashboard.
  • prelertcompare and Compare Mode are no longer available.
  • Support for 32-bit systems is no longer available.

See also

This page

Browse

You are here