Enabling Anomaly Detection

Download this manual as a PDF file

This section describes how to enable anomaly detection events in SL1.

Use the following menu options to navigate the SL1 user interface:

  • To view a pop-out list of menu options, click the menu icon ().
  • To view a page containing all of the menu options, click the Advanced menu icon ().

Viewing the List of Devices that Have Anomaly Detection Enabled

The Machine Learning page displays a list of devices that are currently using anomaly detection, as well as devices for which you can enable anomaly detection if it is not enabled already.

To navigate to the Anomaly Detection page, click the Skylar AI icon () and click the button for Anomaly Detection.

You can filter the items on this inventory page by typing filter text or selecting filter options in one or more of the filters found above the columns on the page. For more information, see Filtering Inventory Pages.

You can adjust the size of the rows and the size of the row text on this inventory page. For more information, see the section on Adjusting the Row Density.

For each device in the list, the Anomaly Detection page displays the following information:

  • Device Name. Displays the name of the device. Click the hyperlink to go to the Anomaly Detection tab of the Device Investigator page for that device. Each row on the Anomaly Detection page represents a specific device and metric for that device. As a result, a device might appear in the list multiple times if anomaly detection is enabled for multiple metrics on that device.
  • Metric Type. Indicates the metric that SL1 is evaluating for anomalies on the device.
  • ML Enabled By User. Indicates the username of the user that enabled anomaly detection for the device and metric.
  • Class. Displays the Device Class for the device.
  • Category. Displays the device's Device Category.
  • Anomaly Count. Displays the number of anomalies detected by SL1.

Configuring Anomaly Detection in SL1

Before you can start using Anomaly Detection, you will need to perform the following configurations in SL1:

After you perform these configurations, you can access Anomaly Detection, Skylar Analytics, and other key Skylar AI components from the Skylar AI page () in SL1.

Create a Service Connection

On the Service Connections page (Manage > Service Connections) in SL1, you will create a service connection for the Skylar AIengine. The service connection enables communication between your SL1 system and Skylar AI.

For Skylar AI Beta, you will need to contact ScienceLogic for the API Key and AI Engine URL values to set up the service connection.

To create a service connection in SL1:

  1. In SL1, go to the Service Connections page (Manage > Service Connections).
  2. Click Add Service Connection and select Skylar AI Engine. The Create Connection window appears.
  3. Complete the following fields:
  • Name. Type a name for this new service connection.
  • API Key. Paste the API key for Skylar AI into this field. Ask your ScienceLogic contact for this value.
  • Skylar AI Engine URL. Add the endpoint URL for your Skylar AI instance. Ask your ScienceLogic contact for this value.
  • Share data with. Select the All Organizations toggle (turn it blue) to share this connection with all existing and newly created organizations. Alternately, you deselect the All Organizations toggle (turn it gray) and select one or more organizations from the Selected Organizations drop-down to limit access to this connection to only those organizations.
  1. Click Save. The service connection is added to the Service Connections page.

Enabling Anomaly Detection for an Organization

In SL1, if you want to use Anomaly Detection and Predictive Alerting, you will need to select one or more organizations that will share data with Skylar AI. This data will come from all of the devices in a selected organization. By default, the Skylar AI features are disabled.

You can see which organizations are currently sending data to Skylar AI by going to the Organizations page (Registry > Accounts > Organizations) and looking at the Skylar AI Status column for the organizations.

To enable Anomaly Detection and Predictive Alerting:

  1. In SL1, go to the Organizations page (Registry > Accounts > Organizations) and click the check box for one or more organizations.
  2. In the Select Action drop-down, select Send Data from Selected Orgs to Skylar AI and click Go to start sending data about the selected organizations to Skylar AI. The Skylar AI Status column for the selected organizations changes to Enabled.

Enabling Anomaly Detection Events for Specific Metrics

You can set up anomaly detection for specific metrics for devices and business services so that event policies are triggered when an anomaly is detected for that metric.

Enabling Anomaly Detection Events for a Metric on the Device Investigator Page

To enable anomaly detection events for a metric on the Device Investigator page: 

  1. On the Devices page (), click the Device Name for the device on which you want to enable anomaly detection events. The Anomaly Detection tab for Device Investigator displays.

    If the Anomaly Detection tab does not already appear on the Device Investigator, click the More drop-down menu and select it from the list of tab options.

  2. On the Anomaly Detection tab, click the Add Alert Policy button or click the Actions icon () for any of the listed metrics and select Enable. The Select Available Metrics modal appears.

  3. In the Select Metric drop-down, use the Search field to search for a specific metric or click one of the category names, such as "Dynamic Apps" or "Collection Labels", to view a list of available metrics for that metric category.

  4. Click the name of the metric on which you want to enable anomaly detection events for the device.

  5. For some metrics, a second drop-down field might display that enables you to specify the device directory. If this field appears, click the name of the directory on which you want to enable anomaly detection.

  6. Click Enable. That metric is enabled for events for that device.

To disable anomaly detection events for a metric, click the Actions icon () for that metric and select Disable.

Enabling Anomaly Detection Events for a Metric on the Service Investigator Page

On the Anomalies widget on a Service Investigator page, you can enable anomaly detection events for additional metrics or disable anomaly detection metric events on which it is currently enabled.

The Anomalies widget appears only if you have at least one device in the selected service that has anomaly detection enabled.

To enable anomaly detection eventsfor a metric on the Service Investigator page:

  1. On the Business Services page (), select a service from the list of business, IT, and device services by clicking its name. The Service Investigator displays.
  2. On the Service Investigator page, click the Anomalies widget.
  3. Click the Actions icon () for any of the listed metrics and select Enable. The Select Metric to Enable Machine Learning modal appears.
  4. In the Select Metric drop-down, use the Search field to search for a specific metric or click one of the category names, such as "Dynamic Apps" or "Collection Labels", to view a list of available metrics for that metric category.
  5. Click the name of the metric on which you want to enable anomaly detection events for the device.
  6. For some metrics, a second drop-down field might display that enables you to specify the device directory. If this field appears, click the name of the directory on which you want to enable anomaly detection .
  7. Click Enable Machine Learning.

To disable anomaly detection for a metric, click the Actions icon () for that metric and select Disable. The metric is removed from the Anomalies widget.

Viewing Graphs and Data for Anomaly Detection

After SL1 begins performing anomaly detection for a device, you can view graphs and data about each anomaly. Graphs for anomalies appear on the following pages in SL1:

  • The Machine Learning () page.

  • The Machine Learning tab in the Device Investigator.

  • The Anomalies widget in the Service Investigator for a business, IT, or device service.

You can view the anomaly detection graphs for the metrics by clicking the Expand icon () next to the metric for the device. The Anomaly Chart modal appears, displaying the "Anomaly Index" chart above the chart for the specified metric you are monitoring.

The "Anomaly Index" chart displays a graph of values from 0 to 100 that represent how far the real data for a metric diverges from its normal patterns. The lines in the chart are color-coded by the severity level of the event that gets triggered as the data diverges further.

The second graph displays the following data:

  • A blue band representing the range of probable values that SL1 expected for the device metric.
  • A green line representing the actual value for the device metric.
  • A red dot indicating anomalies where the actual value appears outside of the expected value range.

You can hover over a value in one of the charts to see a pop-up box with the Expected Range and the metric value. The Anomaly Index value also displays in the pop-up box, with the severity in parentheses: Normal, Low, Medium, High, or Very High.

You can zoom in on a shorter time frame by clicking and dragging your mouse over the part of the chart representing that time frame, and you can return to the original time span by clicking the Reset zoom button.

You can view the alert levels when you hover over a value in one of the charts on the Anomaly Chart modal. The Anomaly Index severity level displays after the index value, in parentheses: Normal, Low, Medium, High, or Very High:

An Anomaly Index severity level of Normal is assigned to a value in the chart that is lower than the lowest enabled alert level. For example, if the threshold for the Low severity is enabled and set to 20 or higher, an Anomaly Index of 16 would have a severity level of Normal.