Feature Request - Alert configuration "trigger on outliers" and "trigger on sampling" behaviour would lead to miss other anomaly reasons

trackme-limited / trackme-report-issues

The purpose of this repository is to allow Splunk community to report issues and enhancements requests

2 stars 0 forks source link

Feature Request - Alert configuration "trigger on outliers" and "trigger on sampling" behaviour would lead to miss other anomaly reasons #618

Closed sebwurl closed 5 months ago

sebwurl commented 6 months ago

When an alert is created via the UI there is the option "trigger on outliers". When set to "false" this is translated in SPL to: | where isOutlier=0.

If I am not mistaken, this can result in missing alerts in case outliers are detected (isOutlier=1) AND there is another reason (sampling,threshold breach etc) for a red or orange object state. I would expect an alert, but it will not be triggered.

guilhemmarchand commented 6 months ago

Thanks @sebwurl good point

Since a good number of releases, the anomaly_reason is a native Python list, most likely!

Added to the backlog.

guilhemmarchand commented 5 months ago

Hi @sebwurl

Thank you again for raising this, we will address it as follows:

TrackMe alerts run at their root the trackmegetcoll custom command
We can easily parse the anomaly_reason so it is natively rendered as a list (which appears as multi-value field in Splunk)
In the same process, we will have a new field called anomaly_reason_count, which underneath is the lengh of the field (therefore the distict count of anomalies)
FInally, rather than the simple current filter, TrackMe would add, respectively: (first line is for Outliers, second for Sampling)

| where NOT (anomaly_reason_count=1 AND isOutlier=1)
| where NOT (anomaly_reason_count=1 AND isAnomaly=1)

Which will honour properly additional use cases when triggering.

CleanShot 2024-06-10 at 21 53 43@2x

guilhemmarchand commented 5 months ago

Release notes for this issue:

Feature Request - Alert configuration "trigger on outliers" and "trigger on sampling" behaviour would lead to miss other anomaly reasons

When creating a TrackMe alert, one can select to trigger or not against Outliers, and Sampling. (note: Sampling is splk-dsm only)
However, the current logic can be much improved to also handle use cases where we have a mutli-detection, and we have more than anomaly in addition with Outliers/Sampling.
With this evolution, TrackMe will parse automatically the anomaly_reason as part of the trackmegetcoll output, adds a new field for the count of anomaly_reason, and finally updates the method when creating a new alert.