Cause Analysis

New
  • Updated on Oct 7, 2025
  • Published on Oct 7, 2025
  • 5 minute(s) read
  • Ben F
  • Kendra J
 Prev Next

Cause Analysis Overview

Note: Kentik AI must be enabled to use Cause Analysis (see Kentik AI).

Cause Analysis is one of Kentik’s AI-powered tools. When Cause Analysis is enabled, it will start a time series change detection, which:

  • Identifies spikes and drops in traffic.

  • Performs a comparison of the two windows to find the largest contributors to the changes.

  • Summarizes the findings.

Cause Analysis in Data Explorer

Data Explorer is Kentik's primary interface for manually exploring the network data (flow records, BGP, SNMP, etc.) stored in the main tables of the Kentik Data Engine (KDE; see Data Explorer Table). Cause Analysis enhances Data Explorer with three user workflows:

  • Analyze Traffic: Finds the most contributing traffic dimensions in a single time selection window.

  • Compare Traffic: Finds changes in traffic patterns between two selected time windows.

  • Automatic detection and analysis: Automatically detects and analyzes spikes or drops in the time series data and compares traffic before and after each event.

Note: For details about the Cause Analysis Data Explorer UI, see Cause Analysis Overlay and Cause Analysis Table.

Analyze Traffic

In the Analyze Traffic workflow, a user is able to select a single time window on the graph and engage Cause Analysis. The time window is limited to a 2-hour selection.

Error message for the time window exceeding 2 hours

How to Analyze Traffic

Follow the steps below to analyze traffic with Cause Analysis.

  1. Click and drag to capture a specific time window (typically a spike or drop) on the chart and select the Analyze Traffic button.

  2. Click the Cause Analysis tab in the table below the chart to review the results of the analysis. To view the details by dimension see View Series Traffic Filters.

The Summary highlights the most significant contributing factors to the traffic during this period. The Details show results that are generated by Kentik’s data mining algorithms and reveal the key dimensions contributing to traffic (e.g., applications, IP addresses, ASNs, and cloud services). The larger groups of general dimensions usually contain other groups of more specific dimensions.

Note: The values shown when Cause Analysis is enabled are estimates intended to quickly guide you towards the most relevant factors rather than exact measurements.

Below the Summary and Details is the list of dimensions for that time window, the total estimated traffic for this grouping of dimensions, and the estimated percentage of total traffic represented by this group of dimensions. To view these rows in Data Explorer with additional details, see View Series Traffic Filters.

Compare Traffic

In the Compare Traffic workflow, you can select two time windows on the graph. This workflow is used to understand what changed between two different periods.

First, the system compares the two selected windows based on average traffic volume. Based on the results, it will further compare the window with lower average traffic to the window with higher average traffic to identify which type of traffic contributed more to the increase. With this approach, it is irrelevant which time window will be selected first.

How to Compare Traffic

Follow the steps below to compare traffic with Cause Analysis.

  1. Ensure Cause Analysis is enabled and your query settings are displaying in the Data Explorer chart.

  2. Click and drag to capture the first time window (typically a spike or drop) on the graph then click Compare Traffic.

    • A popup will display directing you to select another time range to continue.

  3. Capture the second time window on the graph then click Run Comparison.

    Note: Cause Analysis will automatically compare these two windows regardless of the order that you select them.

The Cause Analysis tab in the table below the graph will show the following information:

  • The Summary highlights the most significant contributing factors to the traffic increase between these two periods.

  • The Details show the dimensions that changed significantly along with the estimated magnitude of these changes. This will help pinpoint what changed (e.g., a new source IP, a different application, or a shift in traffic routing).

Below the Summary and Details is the list of dimensions for that time window, the total estimated traffic for this grouping of dimensions, and the estimated percentage of total traffic represented by this group of dimensions. To view these rows in Data Explorer with additional details see View Series Traffic Filters.

Using Automatic Detection of Traffic Changes

This automated workflow is helpful for proactively identifying and understanding unexpected network events without manually searching through data. Instead of manually selecting time windows, Kentik will automatically scan the entire time series and identify significant traffic changes (e.g., spikes, drops, or sudden jumps). The detected changes will be clearly marked on the chart.

Note: The number of changes identified is configurable with CPD Limit (see Kentik AI Pane).

How to Begin Automatic Detection

Follow the steps below to begin automatic detection with Cause Analysis.

  1. Engage Cause Analysis one of two ways:

    1. Click the Analyze button in the chart display area (see Explorer Title Bar).

    2. Turn On Enable Cause Analysis from the Kentik AI Pane.

  2. (Optional) Adjust controls in the Kentik AI Pane as needed, and for advanced options see Kentik AI Advanced Options).

  3. Click the Cause Analysis tab in the table below the chart to review the results of the analysis. The table lists each detected change including the type of change, its magnitude, the exact time it occurred, and a Kentik AI-generated summary of the change.

  4. Click any of the rows to expand the contributing dimensions. To view these rows in Data Explorer with additional details see View Series Traffic Filters.

View Series Traffic Filters

Viewing the series traffic filters in Data Explorer can help you confirm traffic patterns for the Cause Analysis workflows.

  1. Click the Action menu on the right side of a group’s row. This will display a menu. Depending on the row you select, the filters in the new Data Explorer browser tab will change.

  2. Select View in Data Explorer. This will open a new tab.

    • The new Data Explorer tab displays a list of filters in the Filter Pane with the specific values of the identified traffic.

  3. Follow steps 1 and 2 to select another group of contributing traffic to correlate the traffic pattern with the spike in the main Data Explorer graph.

Device Traffic Increase Insight

Cause Analysis is also integrated with the Device Traffic Increase insight (Core » Insights; see Insights). When you open a device, Kentik Insights automatically detects significant traffic increases on your network devices, which is displayed in the time-series chart.

  1. Open the main menu and navigate to the Core » Insights page.

  2. Select Device Traffic Increases from the Insight Name filter (other filters are not associated with Cause Analysis).

    Insights page with the Device Traffic Increase filter selected under Insight Name

  3. Click one of the insights to open the dashboard.

  4. (Optional) If you click View in Data Explorer (bottom-right corner of the chart) the Kentik AI Pane Analysis Type will display as Window Comparison.

    Note: The Summary and Details language may vary slightly due to Kentik AI generating new content.

  5. (Optional) Scroll down to the Insight +/- 12hrs visualization and click View in Data Explorer. This is a high-level view of the insights. To view the activity with a wider time frame, click View in Data Explorer.

Kentik AI Pane

The Kentik AI pane in the Query sidebar in Data Explorer is dedicated to Cause Analysis configuration (see Kentik AI Pane and Kentik AI Advanced Options).

Related articles