Events¶
Guance provides a comprehensive event management and auditing platform that supports real-time monitoring and unified querying of multi-source event data. Through event aggregation and correlation, it can quickly locate anomalies and efficiently analyze data.
Under the Events feature module, you can monitor system abnormalities and service quality degradation issues through features such as monitors, intelligent inspections, and SLOs. All monitoring activities will generate event records, which are aggregated into the event analysis module for in-depth analysis and processing. This one-stop approach ensures that you have full visibility into the health of your system and can respond promptly to any potential issues.
Event Sources¶
- Alert events triggered by meeting Monitor and Intelligent Monitoring configuration rules;
- All alert events triggered based on configured Intelligent Inspections and SLO;
- Audit Events generated by system operations;
- Custom events written via OpenAPI.
Viewing Event Records¶
- Explorer > Unresolved Events Explorer: Displays unresolved events within the last 48 hours for the current workspace (
df_status !=ok); - Explorer > All Events Explorer: Aggregates all events from various sources, including monitors, intelligent inspections, SLOs, audit events, and OpenAPI custom events;
- Intelligent Monitoring: Includes all events triggered by intelligent monitoring rules.
Event Content¶
Taking events triggered by monitor rules as an example, the event content is primarily based on the information filled in at Create Rules > Event Notifications.
As shown in the figure below, the event title is defined as Log Detection - Multi Index, and the event content includes DQL query statements and variables. The system generates and displays the final results based on actual monitoring data.
After the rule detects an anomaly, you can view related event content in Events > Event Details.
Event Field Description¶
The final event record will include the following fields:
Field |
Description |
|---|---|
date / timestamp |
Generation time. Unit in seconds |
df_date_range |
Time range. Unit in seconds |
df_check_range_start |
Start time of the check range. Unit in seconds |
df_check_range_end |
End time of the check range. Unit in seconds |
df_issue_start_time |
Time of the first failure occurrence in this round. Unit in seconds |
df_issue_duration |
Duration of the failure in this round, unit in seconds (from df_issue_start_time to this event) |
df_source |
Event source. Includes monitor, user, system, custom, audit |
df_status |
Event status. Includes ok, info, warning, error, critical, nodata, nodata_ok, nodata_as_ok, manual_ok |
df_sub_status |
Detailed event status (as a supplement to df_status) |
df_event_id |
Unique event ID |
df_title |
Title |
df_message |
Description |
- When
df_source = monitor, the following additional fields exist:
Field |
Description |
|---|---|
df_dimension_tags |
Detection dimension tags, such as {"host":"web01"} |
df_monitor_id |
Alert strategy ID |
df_monitor_name |
Alert strategy name |
df_monitor_type |
Type: Custom monitoring events are custom, SLO events are slo, intelligent inspection events are fixed as bot_obs |
df_monitor_checker |
Execution function name, such as: custom_metric etc. |
df_monitor_checker_sub |
Detection phase: Generated during the data gap detection phase is nodata, generated during the normal detection phase is check |
df_monitor_checker_id |
Monitor ID |
df_monitor_checker_name |
Monitor name |
df_monitor_checker_value |
Abnormal value when the event occurs |
df_monitor_checker_value_dumps |
Abnormal value when the event occurs (JSON serialized) Convenient for obtaining the original value via deserialization |
df_monitor_checker_value_with_unit |
Abnormal value when the event occurs (optimal unit) |
df_monitor_checker_ref |
Monitor association, only associated with fields linked to the DQL statement in the detection configuration |
df_monitor_checker_event_ref |
Monitor event association, only associated with fields linked to df_dimension_tags and df_monitor_checker_id |
df_monitor_ref_key |
Self-built inspection association key, used for correspondence with self-built inspections |
df_fault_id |
Failure ID in this round, takes the value of the first failure event's df_event_id |
df_fault_status |
Failure status in this round, redundant field of df_status and df_sub_status, marking whether it is OK, with the following values:ok: Normal fault: Failure |
df_fault_start_time |
Start time of the failure in this round. |
df_fault_duration |
Duration of the failure in this round, unit in seconds (from df_issue_start_time to this event) |
df_event_detail |
Event detection details |
df_event_report |
Intelligent monitoring report data |
df_user_id |
Operator user ID when manually restored |
df_user_name |
Operator username when manually restored |
df_user_email |
Operator user email when manually restored |
df_crontab_exec_mode |
Execution mode, optional values.crontab manual |
df_site_name |
Current Guance site name |
df_workspace_name |
Belonging workspace name |
df_workspace_uuid |
Belonging workspace UUID |
df_label |
Monitor labels, labels specified in the monitor are stored in this field UUID |
df_alert_policy_ids |
Alert policy IDs (list) |
df_alert_policy_names |
Alert policy names (list) |
df_matched_alert_policy_rules |
Alert policy names and all matched rule names (list) |
df_channels |
List of channels for incident tracking associated with the event |
df_at_accounts |
@Account information |
df_at_accounts_nodata |
@Account information (data gap) |
df_message_at_accounts |
@User detailed information list in the fault alert message |
df_nodata_message_at_accounts |
@User detailed information list in the data gap alert message |
df_workspace_declaration |
Workspace attribute claims |
df_matched_alert_members |
List of all matching alert notification member information when selected to send by members |
df_matched_alert_upgrade_members |
List of all matching alert upgrade notification member information when selected to send by members |
df_matched_alert_member_groups |
All matching member group names when selected to send by members |
df_charts |
Chart information appended when charts are added in the monitor configuration and this alert event needs to send messages |
df_alert_info |
Recorded alert notification information |
df_is_silent |
Whether the event is muted, value is string "true" / "false" |
df_sent_target_types |
List of non-redundant alert notification object types sent for this event |
- When
df_source = audit, the following additional fields exist:
| Field | Description |
|---|---|
df_user_id |
Operator user ID |
df_user_name |
Operator username |
df_user_email |
Operator user email |
| {Other Fields} | Other fields based on specific audit data requirements |
- When
df_source = user, the following additional fields exist:
| Field | Description |
|---|---|
df_user_id |
Creator user ID |
df_user_name |
Creator username |
df_user_email |
Creator user email |
| {Other Fields} | Other fields generated based on user operations |