Using Anomaly Detection to Trigger Events and Automations

Download this manual as a PDF file

This section describes how to use machine learning-based anomaly detection to trigger events and automations in SL1.

Use the following menu options to navigate the SL1 user interface:

  • To view a pop-out list of menu options, click the menu icon ().
  • To view a page containing all of the menu options, click the Advanced menu icon ().

Creating an Event Policy for Anomalies

After you have enabled machine learning-based anomaly detection for devices, you can create event policies that will trigger events in SL1 when anomalies are detected for those devices.

Because anomalies do not always correspond to problems, ScienceLogic recommends creating an event policy only for scenarios where anomalies appear to be correlated with some other behavior that you cannot otherwise track using an event or alert.

Because the anomaly detection model is constantly being refined as SL1 collects more data, you might experience a larger number of anomaly-related events if you create an event policy for anomalies soon after enabling anomaly detection compared to if you were to do so after SL1 has had an opportunity to learn more about the device metric's data patterns.

To create an event policy for anomalies:

  1. Go to the Event Policies page (Events > Event Policies).
  2. On the Event Policies page, click the Create Event Policy button. The Event Policy Editor page appears.
  3. In the Policy Name field, type a name for the new event policy.
  4. Click the Match Logic tab.
  5. In the Event Source field, select Internal.
  6. In the Match Criteria field, click the Select Link-Message button.
  7. In the Link-Message modal page, search for "Anomaly" to locate the message "Anomaly Detected: %V":

  1. Click the radio button for the message "Anomaly Detected: %V", and then click Select.
  2. Complete the remaining fields and tabs in the Event Policy Editor based on the specific parameters that you want to establish for the event. For more information about the fields and tabs in the Event Policy Editor, see the section on Defining an Event Policy.
  3. To enable the event policy, click the Enable Event Policy toggle so that it is in the "on" position.
  4. When you are finished entering all of the necessary information into the event policy, click Save.

Using Anomaly-related Events to Trigger Automated Run Book Actions

SL1 includes automation features that allow you to define specific event conditions and the actions you want SL1 to execute when those event conditions are met. You can use these features to trigger automated Run Book Actions whenever an anomaly-related event is generated in SL1.

To use anomaly-related events to trigger automated Run Book Actions:

  1. Go to the Automation Policy Manager page (Registry > Run Book > Automation).

  1. Click the Create button. The Automation Policy Editor page appears:

  1. In the Policy State field, select Enabled.
  2. In the Available Events field, search for and select an anomaly-related event policy, and then click the right-arrow icon to move it to the Aligned Events field. For more information about anomaly-related events, see Creating an Event Policy for Anomalies.
  3. Complete the remaining fields on the Automation Policy Editor page based on the specific parameters that you want to establish for the automation policy. For more information about the fields on the Automation Policy Editor page, see Automation Policies.
  4. When you are finished, click Save.