Event Center¶
Guance provides an event management and auditing platform that supports real-time monitoring and unified querying of multi-source event data. Through event aggregation and correlation, it can quickly locate anomalies and efficiently analyze data.
Under the Event Center feature module, you can monitor system anomalies and service quality degradation through modules such as monitors, intelligent inspections, SLOs, and more. All monitoring activities generate event records, which are then aggregated into the Explorer module for further analysis and processing.
Event Sources¶
- Alerts triggered by the rules configured in monitors and intelligent monitoring;
- All alert events triggered by configured SLO tasks;
- Audit events generated by system operations;
- Custom events written via OpenAPI.
Event Viewing¶
- All Events: Aggregates events from all sources;
- Unrecovered Events: Displays events in the current workspace that have not been recovered in the last 48 hours (
df_status !=ok); - Change Events: Records operational activities in Kubernetes clusters that differ from expected patterns;
- Intelligent Monitoring Events: Includes all events triggered by intelligent monitoring rules.
Event Content¶
Taking events triggered by monitor rules as an example, the event content is primarily based on the information filled in at Create > Event Notification.
As shown below, the event title is defined as Log Detection - Multi-Index, and the event content includes a DQL query statement and variables. The system generates and displays the final results based on actual monitoring data.
When the rule detects an anomaly, you can view the relevant event content in Event > Event Details.
Event Fields¶
The final event record will include the following fields:
Field |
Description |
|---|---|
date / timestamp |
Time of occurrence. Unit: seconds |
df_date_range |
Time range. Unit: seconds |
df_check_range_start |
Start time of the detection range. Unit: seconds |
df_check_range_end |
End time of the detection range. Unit: seconds |
df_issue_start_time |
Time of the first failure in this round. Unit: seconds |
df_issue_duration |
Duration of this round of failure, in seconds (from df_issue_start_time to this event) |
df_source |
Event source. Includes monitor, user, system, custom, audit |
df_status |
Event status. Includes ok, info, warning, error, critical, nodata, nodata_ok, nodata_as_ok, manual_ok |
df_sub_status |
Event detail status (as a supplement to df_status) |
df_event_id |
Unique event ID |
df_title |
Title |
df_message |
Description |
- When
df_source = monitor, the following additional fields exist:
Field |
Description |
|---|---|
df_dimension_tags |
Detection dimension tags, such as {"host":"web01"} |
df_monitor_id |
Alert strategy ID |
df_monitor_name |
Alert strategy name |
df_monitor_type |
Type: Custom monitoring events are custom, SLO events are slo, and intelligent inspection events are fixed as bot_obs |
df_monitor_checker |
Execution function name, such as custom_metric etc. |
df_monitor_checker_sub |
Detection phase: nodata for data outage detection phase, check for normal detection phase |
df_monitor_checker_id |
Monitor ID |
df_monitor_checker_name |
Monitor name |
df_monitor_checker_value |
Anomaly value at the time of event occurrence |
df_monitor_checker_value_dumps |
Anomaly value at the time of event occurrence (JSON serialized) Convenient for users to deserialize and obtain the original value |
df_monitor_checker_value_with_unit |
Anomaly value at the time of event occurrence (optimal unit) |
df_monitor_checker_ref |
Monitor association, only fields associated with the DQL statement of the detection configuration |
df_monitor_checker_event_ref |
Monitor event association, only fields associated with df_dimension_tags and df_monitor_checker_id |
df_monitor_ref_key |
Self-built inspection association Key, used to correspond with self-built inspections |
df_fault_id |
This round of failure ID, taken as the df_event_id of the first failure event |
df_fault_status |
This round of failure status, redundant field for df_status, df_sub_status, marking whether it is OK, values are as follows:ok: normal fault: failure |
df_fault_start_time |
Start time of this round of failure. |
df_fault_duration |
Duration of this round of failure, in seconds (from df_issue_start_time to this event) |
df_event_detail |
Event detection details |
df_event_report |
Intelligent monitoring report data |
df_user_id |
Operator user ID when manually recovered |
df_user_name |
Operator username when manually recovered |
df_user_email |
Operator user email when manually recovered |
df_crontab_exec_mode |
Execution mode, optional values.crontab manual |
df_site_name |
Current Guance site name |
df_workspace_name |
Workspace name |
df_workspace_uuid |
Workspace UUID |
df_label |
Monitor labels, labels specified in the monitor are stored in this field UUID |
df_alert_policy_ids |
Alert strategy IDs (list) |
df_alert_policy_names |
Alert strategy names (list) |
df_matched_alert_policy_rules |
Alert strategy names and all matching rule names (list) |
df_channels |
List of incident channels to which the event belongs |
df_at_accounts |
@ account information |
df_at_accounts_nodata |
@ account information (data outage) |
df_message_at_accounts |
Detailed list of @ users in failure alert messages |
df_nodata_message_at_accounts |
Detailed list of @ users in data outage alert messages |
df_workspace_declaration |
Workspace attribute declarations |
df_matched_alert_members |
List of all matching alert notification member information when sending by member is selected |
df_matched_alert_upgrade_members |
List of all matching alert upgrade notification member information when sending by member is selected |
df_matched_alert_member_groups |
List of all matching member group names when sending by member is selected |
df_charts |
Chart information appended when charts are added to the monitor configuration and this alert event needs to send a message |
df_alert_info |
Record of alert notification information |
df_is_silent |
Whether the event is muted, values are strings "true" / "false" |
df_sent_target_types |
List of non-repeating alert notification object types to which this event has been sent |
df_check_targets |
Record of detection time and detection indicators in the monitor configuration |
df_check_condition, df_check_condition_expr |
Record of trigger rules in the monitor configuration |
df_check_rules |
Record of detection count and detection rules in the monitor configuration |
df_check_targets |
Record of detection time and detection indicators in the monitor configuration |
df_check_condition |
Record of trigger rules in the monitor configuration |
df_check_interval |
Record of detection frequency in the monitor configuration |
df_fault_end_time |
Record of fault recovery time |
- When
df_source = audit, the following additional fields exist:
| Field | Description |
|---|---|
df_user_id |
Operator user ID |
df_user_name |
Operator username |
df_user_email |
Operator user email |
| {Other fields} | Other fields based on specific audit data requirements |
- When
df_source = user, the following additional fields exist:
| Field | Description |
|---|---|
df_user_id |
Creator user ID |
df_user_name |
Creator username |
df_user_email |
Creator user email |
| {Other fields} | Other fields generated by user operations |