Events Center¶
The event management and audit platform provided by Guance supports real-time monitoring and unified querying of event data from multiple sources. Through event aggregation and correlation, it enables quick identification of anomalies and efficient data analysis.
Under the Events Center functional module, you can monitor system anomalies and service degradation issues through modules such as Monitors, Intelligent Monitoring, and SLO. You can leverage functions like monitors, intelligent monitoring, and SLO to detect system anomalies and service quality degradation. All monitoring activities will generate event records that are collected into the Explorer module for further in-depth analysis and processing.
Event Sources¶
- Alert events triggered by meeting the configuration rules of Monitors and Intelligent Monitoring;
- All alert events triggered by configured Intelligent Inspection and SLO;
- System operation-generated Audit Events;
- Custom events written via OpenAPI.
Viewing Events¶
- All Events: Aggregates events from all sources;
- Unrecovered Events: Displays events within the current workspace that have not been resolved in the last 48 hours (
df_status != ok); - Change Events: Records operational activity events in Kubernetes clusters that deviate from expected patterns;
- Intelligent Monitoring Events: Includes all events triggered by satisfying intelligent monitoring rules.
Event Content¶
Taking an event triggered by a monitor rule as an example, the event content is primarily based on the information filled out in Create Rule > Event Notification.
As shown in the figure below, the event title is defined as Log Detection - Multi-Index, and the event content contains the DQL query statement and variables. The system will generate and display the final results based on the actual monitored data.
After abnormality detection by the rule, related event content can be viewed in Events > Event Details.
Event Fields¶
The final event record includes the following fields:
Field |
Description |
|---|---|
date / timestamp |
Occurrence time. Unit: seconds |
df_date_range |
Time range. Unit: seconds |
df_check_range_start |
Start time of the check range. Unit: seconds |
df_check_range_end |
End time of the check range. Unit: seconds |
df_issue_start_time |
Time when the first failure occurred in this round. Unit: seconds |
df_issue_duration |
Duration of the failure in this round, unit: seconds (from df_issue_start_time to the current event) |
df_source |
Event source. Includes monitor, user, system, custom, audit |
df_status |
Event status. Includes ok, info, warning, error, critical, nodata, nodata_ok, nodata_as_ok, manual_ok |
df_sub_status |
Event detail status (as a supplement to df_status) |
df_event_id |
Unique event ID |
df_title |
Title |
df_message |
Description |
- When
df_source = monitor, the following additional fields exist:
Field |
Description |
|---|---|
df_dimension_tags |
Detection dimension tags, e.g., {"host":"web01"} |
df_monitor_id |
Alert policy ID |
df_monitor_name |
Alert policy name |
df_monitor_type |
Associated type: custom for custom monitoring events, slo for SLO events, bot_obs fixed for intelligent inspection events |
df_monitor_checker |
Execution function name, e.g., custom_metric |
df_monitor_checker_sub |
Detection phase: nodata for the no-data detection phase, check for the normal detection phase |
df_monitor_checker_id |
Monitor ID |
df_monitor_checker_name |
Monitor name |
df_monitor_checker_value |
Abnormal value at event generation |
df_monitor_checker_value_dumps |
Abnormal value at event generation (JSON serialized) Facilitates obtaining original values after deserialization |
df_monitor_checker_value_with_unit |
Abnormal value at event generation (optimal unit) |
df_monitor_checker_ref |
Monitor association, only related to fields associated with the DQL statement configured in detection |
df_monitor_checker_event_ref |
Monitor event association, only related to df_dimension_tags and df_monitor_checker_id |
df_monitor_ref_key |
Self-built inspection association key, used to correspond with self-built inspections |
df_fault_id |
Fault ID for this round, taken as the df_event_id of the first fault event |
df_fault_status |
Fault status for this round, redundant field of df_status and df_sub_status, indicating whether it's OK, possible values:ok: Normal fault: Fault |
df_fault_start_time |
Start time of the fault in this round. |
df_fault_duration |
Duration of the fault in this round, unit: seconds (from df_issue_start_time to the current event) |
df_event_detail |
Event detection details |
df_event_report |
Intelligent monitoring report data |
df_user_id |
User ID of the operator during manual recovery |
df_user_name |
Username of the operator during manual recovery |
df_user_email |
Email address of the operator during manual recovery |
df_crontab_exec_mode |
Execution mode, optional values.crontabmanual |
df_site_name |
Current Guance site name |
df_workspace_name |
Associated workspace name |
df_workspace_uuid |
UUID of the associated workspace |
df_label |
Monitor label; labels specified in the monitor are stored in this field |
df_alert_policy_ids |
Alert policy IDs (list) |
df_alert_policy_names |
Alert policy names (list) |
df_matched_alert_policy_rules |
Alert policy names and all matched rule names (list) |
df_channels |
List of incident channels associated with the event |
df_at_accounts |
@account information |
df_at_accounts_nodata |
@account information (no data) |
df_message_at_accounts |
Detailed list of @user information in the fault alert message |
df_nodata_message_at_accounts |
Detailed list of @user information in the no-data alert message |
df_workspace_declaration |
Attribute declaration of the workspace |
df_matched_alert_members |
When sending alerts by member is selected, list of all matched alert notification members |
df_matched_alert_upgrade_members |
When sending alerts by member is selected, list of all matched alert escalation notification members |
df_matched_alert_member_groups |
When sending alerts by member is selected, list of all matched member group names |
df_charts |
Chart information appended when charts are added to the monitor configuration and this alert event requires message sending |
df_alert_info |
Record of alert notification information |
df_is_silent |
Whether the event is muted, values are strings "true" / "false" |
df_sent_target_types |
List of non-repeating alert notification target types already sent for this event |
df_check_targets |
Records detection time and metrics in the monitor configuration |
df_check_condition、df_check_condition_expr |
Records trigger rules in the monitor configuration |
df_check_rules |
Records detection count and rules in the monitor configuration |
- When
df_source = audit, the following additional fields exist:
| Field | Description |
|---|---|
df_user_id |
Operator user ID |
df_user_name |
Operator username |
df_user_email |
Operator email address |
| {other fields} | Other fields according to specific audit data requirements |
- When
df_source = user, the following additional fields exist:
| Field | Description |
|---|---|
df_user_id |
Creator user ID |
df_user_name |
Creator username |
df_user_email |
Creator email address |
| {other fields} | Other fields generated based on user operations |