Gen-AI Anomaly Detection Powered by the Cisco Deep Time Series Model

The alert fires at 3am. You wake up. You triage. You fix it. You go back to sleep.

Sound familiar? That's the reactive ops loop and it's exhausting, expensive, and increasingly untenable as your stack grows faster than your team can write thresholds for it.

Today, Splunk takes a meaningful step toward ending that cycle. Splunk now delivers Gen-AI driven time series anomaly detection powered by the Cisco Deep Time Series Model (CDTSM), a zero-shot, generative AI foundation model built specifically for machine data. No training required. No data science degree necessary. Simply install AI Toolkit 5.7.4 and start using it.

This capability, paired with AI forecasting for predictive alerting, marks the beginning of a new operational model: Predict and Prevent.

The Problem with Waiting for the Alert

The classic observability playbook (set a threshold, wait for it to breach, get paged, triage, fix) made sense when stacks were simpler. It doesn't anymore.

Today's distributed, microservices-heavy, AI-generated-code-fueled apps produce millions of active metric time series. A typical SaaS platform might generate tens of millions of them. The idea that a human, or even a team of humans, can write and maintain sensible thresholds for all of them isn't realistic. It's a fantasy. And the oncoming flood of AI created apps will compound the problem.

Static thresholds create noise. They miss gradual degradation. And they tell you what  already  happened, not what's about to happen. You need a different model. You need to start with near ubiquitous anomaly detection across your workloads that can sense when there are changes in the system. Anomaly detection and forecasting are not new concepts. However, a combination of complexity, scalability, and reliability have kept these capabilities from being broadly deployed.

Introducing Gen-AI Anomaly Detection in Splunk Platform

Splunk and Cisco recently published the Cisco Time Series Model 1.0 on Hugging Face. It is a generative AI foundation model purpose-built for the complexities of machine data. We've integrated this model directly into the Splunk platform as the Cisco Deep Time Series Model (CDTSM).

The result is on-demand anomaly detection and forecasting for any metric time series, whether derived from logs or native metrics collection, with none of the complexity that's made ML-based monitoring a specialist's game until now.

To get started, simply install or upgrade to AI Toolkit v5.7.4 on Splunkbase. Write or open a query for a KPI that you care about, add the simple SPL command to apply the Cisco Deep Time Series Model, and you're off. Save it as an alert and you've just expanded your detection coverage without writing a single threshold.

This release also significantly improves the AI forecasting experience with better charting, improved UX, and a new kind of alert: predictive alerting. Instead of being notified  after  an SLO is breached, you get notified when a KPI is  predicted  to breach it, with an estimate of when—up to 10 hours in advance.

That's enough time to act—before your customers notice. That's the whole point.

Built for Machine Data, from the Ground Up

The CDTSM is a small, 250-million-parameter model trained on 2 trillion unique data points from real machine data use cases and growing. It analyzes up to three months of signal history, more than any competing time series model, and handles complex overlapping seasonality (hourly, daily, weekly, monthly) without a line of configuration.

Unlike traditional approaches like Prophet, ARIMA, or DensityFunction, there is no per-metric fitting step. It's zero-shot: feed it a context window of the metric's history and it returns a forecast along with up to 15 quantile bands defining the probable range of future behavior. The model has internalized the shapes of infrastructure, APM, real-user, component, and networking metrics across millions of time series. It already knows what "normal" looks like.

Gen-AI anomaly detection sits on top of this foundation. Observed values are compared against the model's forecast and confidence intervals, filtered through your sensitivity settings, to surface only meaningful deviations, not noise.

The outcome: fewer false positives from seasonal patterns, and higher sensitivity to genuine anomalies that crude rolling-average baselines would have buried.

One more thing: all forecasting compute runs on dedicated GPU servers, not your search heads. Your searches and alerts stay fast.

From MTTR to MTTP

Here's how this plays out in practice. It's Thursday at 2pm. An anomaly detection alert fires on checkout latency. This is unusual for this time and day. Something has shifted behaviorally. Not a breach yet, just a meaningful change in the signal's trajectory. You note it.

Fifteen minutes later, a predictive alert arrives: "Checkout latency is predicted to breach your warning threshold in 20 minutes, and your critical threshold in 45 minutes."

You escalate. The team rallies. The issue is resolved before a single customer feels it.

That's the difference between MTTR (mean time to recovery) and MTTP: mean time to prevention. Your availability score stays green. Nobody gets paged at 3am. Everyone stays chill.

Anomaly detection tells you something has changed. Predictive alerting tells you where it's going. Together, they close the gap between "something's wrong" and "we're already ahead of this." That's what we mean by Predict and Prevent. An ounce of prediction is worth a pound of response.

On-Premises? No Problem.

Every team running production services deserves this capability, whether you're on Splunk Cloud or managing your own deployment in an air-gapped data center.

Splunk Cloud: Nothing to configure. The CDTSM runs on dedicated, autoscaling GPU servers in your Splunk Cloud region. Highly available, zero additional search head load.

On-premises / self-hosted: Host your own instance(s) of the Cisco Time Series Model. It is easy to run, uses only 2 GB of RAM, and can it can run on CPUs or GPUs. It is so lightweight that you can easily run it on your laptop. To install the model, just clone the repo from GitHub and run ‘docker compose up.’ Then, just update one .conf file and you are all set. Review the feature documentation for details.

Get Started Today

Splunk customers: Install AI Toolkit v5.7.4 from SplunkBase. No ML skills required. Works on any metric time series, derived from logs or native metrics, on-prem or Splunk Cloud. Use it to query your favorite KPIs, and start expanding your alert coverage today.

Researchers and builders: The model is open-weight, Apache 2.0 licensed, and available now:

• Hugging Face: cisco-ai/cisco-time-series-model-1.0
• GitHub: splunk/cisco-time-series-model
• PyPI: pip install cisco-tsm

Pre-canned notebooks and reproducible benchmarks included. Commercial use permitted.

The future of operations isn't faster response. It's not needing to respond at all.