Event Center¶
The Guance event management and auditing platform supports real-time monitoring and unified querying of multi-source event data. Through event aggregation and correlation, it can quickly locate anomalies and efficiently analyze data.
Under the Event Center feature module, you can monitor system anomalies and service quality degradation issues through the functions of monitors, intelligent inspections, SLOs, etc. You can use these features to monitor system anomalies and service quality degradation issues. All results of monitoring activities will generate event records and be aggregated into the Explorer module for subsequent in-depth analysis and processing.
Event Sources¶
- Alarm events triggered by meeting Monitor and Intelligent Monitoring configuration rules;
- All alarm events triggered by configured Intelligent Inspections and SLO;
- Audit Events generated by system operations;
- Custom events written via OpenAPI.
Event Viewing¶
- All Events: Summarizes events from all sources, including monitors, intelligent inspections, SLOs, audit events, and OpenAPI custom events;
- Unresolved Events: Displays unresolved events within the last 48 hours of the current workspace (
df_status !=ok); - Change Events: Records of operational activities in Kubernetes clusters that differ from expected patterns;
- Intelligent Monitoring Events: Includes all events triggered by intelligent monitoring rules.
Event Content¶
Taking a monitor rule-triggered event as an example, the event content is mainly based on the information filled out at Create Rules > Event Notifications.
As shown in the figure below, the event title is defined as Log Detection - Multi Indices, and the event content includes DQL query statements and variables. The system generates and displays the final results based on actual monitoring data.
After the rule detects an anomaly, you can view related event contents in Events > Event Details.
Event Fields¶
The final event record will include the following fields:
Field |
Description |
|---|---|
date / timestamp |
Generation time. Unit: seconds |
df_date_range |
Time range. Unit: seconds |
df_check_range_start |
Start time of the detection range. Unit: seconds |
df_check_range_end |
End time of the detection range. Unit: seconds |
df_issue_start_time |
Time when the first failure occurred in this round. Unit: seconds |
df_issue_duration |
Duration of the failure in this round, unit: seconds (from df_issue_start_time to this event) |
df_source |
Event source. Includes monitor, user, system, custom, audit |
df_status |
Event status. Includes ok, info, warning, error, critical, nodata, nodata_ok, nodata_as_ok, manual_ok |
df_sub_status |
Detailed event status (as a supplement to df_status) |
df_event_id |
Unique event ID |
df_title |
Title |
df_message |
Description |
- When
df_source = monitor, additional fields exist:
Field |
Description |
|---|---|
df_dimension_tags |
Detection dimension tags, e.g., {"host":"web01"} |
df_monitor_id |
Alert strategy ID |
df_monitor_name |
Alert strategy name |
df_monitor_type |
Type: custom monitoring events are custom, SLO events are slo, intelligent inspection events are fixed as bot_obs |
df_monitor_checker |
Execution function name, such as custom_metric |
df_monitor_checker_sub |
Detection phase: those generated during the data gap detection phase are nodata, those generated during the normal detection phase are check |
df_monitor_checker_id |
Monitor ID |
df_monitor_checker_name |
Monitor name |
df_monitor_checker_value |
Abnormal value when the event occurs |
df_monitor_checker_value_dumps |
Abnormal value when the event occurs (JSON serialized) Convenient for users to obtain the original value through deserialization |
df_monitor_checker_value_with_unit |
Abnormal value when the event occurs (optimal unit) |
df_monitor_checker_ref |
Monitor association, only associated with fields related to the DQL statement in the detection configuration |
df_monitor_checker_event_ref |
Monitor event association, only associated with fields related to df_dimension_tags and df_monitor_checker_id |
df_monitor_ref_key |
Self-built inspection association Key, used for correspondence with self-built inspections |
df_fault_id |
Failure ID of this round, which takes the value of the df_event_id of the first failure event |
df_fault_status |
Failure status of this round, redundant field of df_status, df_sub_status, marking whether it is OK, values:ok: normal fault: failure |
df_fault_start_time |
Start time of the failure in this round. |
df_fault_duration |
Duration of the failure in this round, unit: seconds (from df_issue_start_time to this event) |
df_event_detail |
Event detection details |
df_event_report |
Intelligent monitoring report data |
df_user_id |
User ID of the operator when manually recovered |
df_user_name |
Username of the operator when manually recovered |
df_user_email |
User email of the operator when manually recovered |
df_crontab_exec_mode |
Execution mode, optional values.crontabmanual |
df_site_name |
Current Guance site name |
df_workspace_name |
Name of the affiliated workspace |
df_workspace_uuid |
UUID of the affiliated workspace |
df_label |
Monitor labels, labels specified in the monitor are stored in this field UUID |
df_alert_policy_ids |
Alert policy IDs (list) |
df_alert_policy_names |
Alert policy names (list) |
df_matched_alert_policy_rules |
Alert policy names and all matched rule names (list) |
df_channels |
List of channels belonging to the abnormal Incident tracking list |
df_at_accounts |
@account information |
df_at_accounts_nodata |
@account information (data gap) |
df_message_at_accounts |
@User detailed information list in fault alert messages |
df_nodata_message_at_accounts |
@User detailed information list in data gap alert messages |
df_workspace_declaration |
Workspace Attribute Claims |
df_matched_alert_members |
List of all matching alert notification member information when selected to send by members |
df_matched_alert_upgrade_members |
List of all matching alert upgrade notification member information when selected to send by members |
df_matched_alert_member_groups |
List of all matching member group names when selected to send by members |
df_charts |
Chart information appended when charts are added in the monitor configuration and this alert event needs to send a message |
df_alert_info |
Record alert notification information |
df_is_silent |
Whether the event is muted, value is string "true" / "false" |
df_sent_target_types |
List of unique types of alert notification objects sent for this event |
- When
df_source = audit, additional fields exist:
| Field | Description |
|---|---|
df_user_id |
Operator user ID |
df_user_name |
Operator username |
df_user_email |
Operator user email |
| {Other fields} | Other fields according to specific audit data requirements |
- When
df_source = user, additional fields exist:
| Field | Description |
|---|---|
df_user_id |
Creator user ID |
df_user_name |
Creator username |
df_user_email |
Creator user email |
| {Other fields} | Other fields generated by user actions |