Machine learning for logs, cut through the hype.
Splunk recently announced machine learning capabilities. Learn how indeni’s machine learning differs from log management and SIEM solutions like Splunk.
Notice: This blog post was originally published on Indeni before its acquisition by BlueCat.
The content reflects the expertise and perspectives of the Indeni team at the time of writing. While some references may be outdated, the insights remain valuable. For the latest updates and solutions, explore the rest of our blog
Key takeawaysThis key takeaway was generated through LLMs crawling the page and coming up with an overview of the content.The article explains machine learning’s practical limits for IT operations and contrasts generalized ML approaches like Splunk’s with Indeni’s specialized, knowledge-driven automation for network and security device management. It highlights that ML needs large, well-constrained datasets to avoid high false positive rates and emphasizes operational impacts such as alert accuracy, root cause analysis, and mean time to resolution. The piece outlines four differentiators where Indeni improves actionability—ingesting configuration data, leveraging a large device-knowledge repository, crowd-sourced insights via Indeni Insight, and rules tuned to the 99.9% operational baseline—resulting in more precise, actionable alerts.
Does the article say that all products with “machine learning” are equally effective for IT operations?
No. The article cautions that many machine learning algorithms are not new and that effectiveness depends on data volume, constraints, and how vendors help algorithms focus on important elements. It warns that unconstrained ML can yield high false positive rates and stresses asking vendors how they reduce false positives, make findings actionable, and ensure the algorithm understands the domain. The article uses examples to show that without proper constraints (for example, comparing similar device types), ML alerts may be numerous but not useful.
How does Indeni’s approach to data ingestion differ from Splunk’s according to the article?
According to the article, Indeni ingests configuration data in addition to statistics and logs from network and security devices, whereas Splunk and similar SIEM/log management tools primarily focus on logs and statistics. Collecting device configurations and software state gives Indeni deeper context, enabling more accurate identification of issues tied to specific products or software builds. This richer data model supports built-in knowledge-driven alerts, eliminating the need for customers to write queries or scripts for root cause analysis and troubleshooting.
What operational advantages does Indeni claim because of its knowledge repository and community data sharing?
Indeni claims several operational advantages: its large database of device knowledge embeds known issues and resolution steps, enabling immediate, human-readable alerts with implications and remediation steps to shorten mean time to resolution. Through Indeni Insight, sanitized telemetry from many customers contributes device characteristics and behavior patterns to a central repository, allowing cross-customer learnings to improve detection. Finally, Indeni’s rules assume devices are healthy 99.9% of the time and that most outages stem from misconfigurations, which reduces false positives and helps teams prioritize the small subset of real problems more effectively.
Splunk recently announced new machine learning capabilities in its Splunk Cloud and Splunk Enterprise 6.5 release. Does everyone have machine learning capabilities now? What exactly is machine learning? See below for key considerations for this technology approach and how Indeni’s machine learning differs from Splunk.
3 things IT needs to know about machine learning
- Machine learning algorithms have been around for decades. Most of them, especially those that are mathematically based, are not new. For example Arthur Samuel coined the term “machine learning” in 1959!
- Machine learning works best with large sets of data. You need a substantial amount of information to determine trends, correlations, etc. Take the example of the NVIDIA self-driving car that was shown at CES this year. Only after 3000 miles of driving on highways, back roads and suburban roads was the car able to stop running over traffic cones and avoid parked cars.
- If not constrained, Machine learning will have a very high false positive rate. To continue the analogy from above, say you are monitoring multiple types of automobiles. Comparing the device data of a semi-truck to a Tesla would be interesting, but not actionable. Say one of your rules was to alert if the engine noise exceeded 100 decibels, as you believe this level of noise indicates there is an issue with the engine. A semi-truck would generate an alert every time it turned on, whereas a Tesla would hardly say a peep. Giving your machine learning constraints (eg. compare Tesla data only with other Tesla’s) yields far more accurate results.
Moral of the story, if a vendor pitches you on “machine learning” it’s OK to be optimistic but be cautious. Here are some questions you can ask to see if the machine learning will make your team more productive:
- How does the vendor help the algorithm focus on the important elements? How do they help their technology understand the data to reach the right conclusions?
- How do they avoid a high rate of false positives? For example, if their machine learning algorithms find “an anomaly” what are the chances it’s a true positive?
- How does the vendor make its alerts or findings actionable?
4 ways Indeni differs from Splunk
Now that we are on the same page for machine learning, here are four ways that Indeni differs from SIEM and Log Management solutions such as Splunk.
#1 Indeni ingests configuration data in addition to statistics and logs of devices.
Collecting greater depths of information on devices and the software running on them allows Indeni to identify issues with greater accuracy.
#2 Indeni has the largest database of device knowledge.
Indeni has a growing repository of known infrastructure issues and resolution steps for the largest Enterprises. This information is gathered from our customers, Indeni engineers and third party experts around the globe. How does this help on a daily basis?
- Root cause analysis: Instead of coming up with a hypothesis and then building a query in Splunk so that you can schedule alerts when the same log or event occurs, Indeni has the knowledge built into its core alerting system, no scripting or queries required.
- Troubleshooting: When you receive an alert in Indeni, in addition to telling you the affected device or error code, Indeni provides a human readable description, the implication of not addressing the event and steps to resolution, helping network and security operations teams prioritize focus areas and shorten the mean time to resolution.
#3 Indeni connects admins and engineers across the globe
In addition to applying expert developed scripts and rules to the data in your environment, Indeni learns from other Indeni customers and applies those learnings to your Indeni instance. Our users subscribe to a service called Indeni Insight, which sends data from their environment to our central repository. The data is sanitized and contains general device characteristics and behavior information. For example what model the device is, what software is running on it, which features are enabled, the status of licenses or contracts, running metrics (CPU, memory, etc.), system logs, active users and much more. The result for administrators and engineers? It’s like leveraging the expertise of thousands of your IT operations friends at Fortune 500 companies.
#4 Indeni’s knowledge is based on the assumption 99.9% of the time devices are working as expected.
Based on our experience as network and security professionals, we know a device malfunctions only 0.1% of the time. In addition, it is widely documented that 70% of network outages occur due to device misconfigurations. These two constraints are built into our rules and playbooks which allow us to reduce false positives, saving our customers time and money.
At a glance: Indeni vs. Splunk
| Similarities | Differences |
|---|---|
|
|
Conclusion
Indeni is capable of identifying specific issues, which pertain to specific types of products and even specific software builds, at a level of accuracy and actionability never seen before. With Indeni customers can find health and operational issues before they happen in their infrastructure, proactively handle them and have a better life. Interested in trying Indeni in your environment? Contact us or engage with one of our registered partners. The future of network management is automation, and Indeni is leading the way in this movement.
Related content
How to map your network with user-defined links in Integrity X
Map your network with user-defined links in Integrity X to define and manage custom relationships, such as dual-stack and NAT environments.
Automate your DDI modernization path by migrating with Micetro
Automate cross-platform DNS and DHCP migration with Micetro to reduce risk, eliminate manual effort, and modernize infrastructure faster.
Your journey to intelligent NetOps begins at Cisco Live
Visit BlueCat’s booth or book a meeting now to learn more about how our solutions can help you build a network that supports constant change.
Replace BIND and ISC with Micetro DNS/DHCP Server (MDDS)
Tired of patching and manually configuring BIND DNS and ISC DHCP? Discover how Micetro MDDS appliances can replace them for modern DDI.