Skip to content

Event Center

Guance provides an event management and auditing platform that supports real-time monitoring and unified querying of event data from multiple sources. Through event aggregation and correlation, it enables rapid anomaly localization and efficient data analysis.

Under the Event Center feature module, you can monitor system anomalies and service quality degradation through functional modules like monitors and SLOs. The results of all monitoring activities generate event records, which are then aggregated into the Explorer module for further in-depth analysis and processing.

Event Sources

Event Views

  • All Events: Aggregates events from all sources;

  • Unrecovered Events: Displays events in the current workspace that have not recovered (df_status !=ok) within the last 48 hours;

  • Change Events: Event records for operational activities within a Kubernetes cluster that differ from the expected pattern;

  • Intelligent Monitoring Events: Includes all events triggered by satisfying Intelligent Monitoring rules.

Event Content

Taking events triggered by monitor rules as an example, the event content is primarily based on the information filled in at Create > Event Notification.

As shown in the figure below, the event title is defined as Log Detection - Multiple Indices, and the event content includes a DQL query statement and variables. The system will generate and display the final results based on the actual monitoring data.

Once an anomaly is detected by the rule, you can view the related event content in Event > Event Details.

Event Fields

The final event record will contain the following fields:

Field
 Description
date / timestamp Generation time. Unit: seconds.
df_date_range Time range. Unit: seconds.
df_check_range_start Detection range start time. Unit: seconds.
df_check_range_end Detection range end time. Unit: seconds.
df_issue_start_time The time when the first fault in this round occurred. Unit: seconds.
df_issue_duration The duration of the fault in this round, in seconds (from df_issue_start_time to this event).
df_source Event source. Includes monitor, user, system, custom, audit.
df_status Event status. Includes ok, info, warning, error, critical, nodata, nodata_ok, nodata_as_ok, manual_ok.
df_sub_status Event detail status (as a supplement to df_status).
df_event_id Event unique ID.
df_title Title.
df_message Description.
  • When df_source = monitor, the following additional fields exist:
Field
 Description
df_dimension_tags Detection dimension tags, e.g., {"host":"web01"}.
df_monitor_id Alert strategy ID.
df_monitor_name Alert strategy name.
df_monitor_type Belonging type: custom for custom monitoring events, slo for SLO events, fixed as bot_obs for Intelligent Inspection events.
df_monitor_checker Execution function name, e.g., custom_metric, etc.
df_monitor_checker_sub Detection phase: nodata for those generated during the data gap detection phase, check for those generated during the normal detection phase.
df_monitor_checker_id Monitor ID.
df_monitor_checker_name Monitor name.
df_monitor_checker_value The abnormal value when the event was generated.
df_monitor_checker_value_dumps The abnormal value when the event was generated (JSON serialized).
Facilitates obtaining the original value through deserialization for users.
df_monitor_checker_value_with_unit The abnormal value when the event was generated (optimal unit).
df_monitor_checker_ref Monitor association, only fields associated with the DQL statement of the detection configuration.
df_monitor_checker_event_ref Monitor event association, only fields associated with df_dimension_tags and df_monitor_checker_id.
df_monitor_ref_key Association Key for self-built inspections, used to correspond with self-built inspections.
df_fault_id This round's fault ID, takes the value of the df_event_id of the first fault event.
df_fault_status This round's fault status, a redundant field for df_status, df_sub_status, marking whether it is OK, values as follows:
ok: normal
fault: fault.
df_fault_start_time The start time of this round's fault.
df_fault_duration The duration of this round's fault, in seconds (from df_issue_start_time to this event).
df_event_detail Event detection details.
df_event_report Intelligent monitoring report data.
df_user_id Operator user ID when manually recovered.
df_user_name Operator username when manually recovered.
df_user_email Operator user email when manually recovered.
df_crontab_exec_mode Execution mode, optional values.
  • Automatically triggered (i.e., scheduled execution) crontab
  • Asynchronously called (i.e., manual execution) manual.
    		•
    df_site_name Current Guance site name.
    df_workspace_name Belonging workspace name.
    df_workspace_uuid Belonging workspace UUID.
    df_label Monitor labels, labels specified in the monitor are stored in this field.
    df_alert_policy_ids Alert strategy IDs (list).
    df_alert_policy_names Alert strategy names (list).
    df_matched_alert_policy_rules Alert strategy names and all matched rule names (list).
    df_channels List of Incident channels the event belongs to.
    df_at_accounts @ account information.
    df_at_accounts_nodata @ account information (data gap).
    df_message_at_accounts Detailed list of @ users in the fault alert message.
    df_nodata_message_at_accounts Detailed list of @ users in the data gap alert message.
    df_workspace_declaration Attribute claims of the workspace.
    df_matched_alert_members List of all matched alert notification member information when sending by member is selected.
    df_matched_alert_upgrade_members List of all matched alert upgrade notification member information when sending by member is selected.
    df_matched_alert_member_groups Names of all matched member groups when sending by member is selected.
    df_charts Chart information appended when charts are added to the monitor configuration and this alert event requires message sending.
    df_alert_info Records alert notification information.
    df_is_silent Whether the event is muted, takes the string value "true" / "false".
    df_sent_target_types List of non-duplicate alert notification target types to which this event has been sent.
    df_check_targets Records the detection time and detection metrics in the monitor configuration.
    df_check_condition, df_check_condition_expr Records the trigger rules in the monitor configuration.
    df_check_rules Records the detection count and detection rules in the monitor configuration.
    df_check_targets Records the detection time and detection metrics in the monitor configuration.
    df_check_condition Records the trigger rules in the monitor configuration.
    df_check_interval Records the detection frequency in the monitor configuration.
    df_fault_end_time Records the fault recovery time.
    • When df_source = audit, the following additional fields exist:
    Field Description
    df_user_id Operator user ID.
    df_user_name Operator username.
    df_user_email Operator user email.
    {Other fields} Other fields based on specific audit data requirements.
    • When df_source = user, the following additional fields exist:
    Field Description
    df_user_id Creator user ID.
    df_user_name Creator username.
    df_user_email Creator user email.
    {Other fields} Other fields generated by user operations.

    Further Reading

    Feedback

    Is this page helpful? ×