Event Center¶
The event management and auditing platform provided by Guance supports real-time monitoring and unified querying of multi-source event data. Through event aggregation and correlation, it can quickly locate anomalies and efficiently analyze data.
Under the Event Center Features module, you can monitor system anomalies and service quality degradation issues through Functions such as monitors, Intelligent Inspection, and SLOs. You can use monitors, Intelligent Inspection, and SLO Functions to monitor system anomalies and service quality degradation issues. All results of monitoring activities will generate event records and be aggregated into the Explorer module for subsequent in-depth analysis and processing.
Event Sources¶
- Alert events triggered by meeting Monitor and Intelligent Monitoring configuration rules;
- All alert events triggered by configured Intelligent Inspections and SLO;
- Audit Events generated by system operations;
- Custom events written via OpenAPI.
Event Viewing¶
- All Events: Summarizes events from all sources;
- Unresolved Events: Displays events that have not been resolved within the last 48 hours in the current workspace (
df_status !=ok); - Change Events: Records of operational activities in Kubernetes clusters that differ from expected patterns;
- Intelligent Monitoring Events: Includes all events triggered by intelligent monitoring rules.
Event Content¶
Taking an event triggered by a monitor rule as an example, the main content of the event is based on the information entered at Create > Event Notifications.
As shown in the figure below, the event title is defined as Log Detection - Multi Indices, and the event content includes DQL query statements and variables. The system generates and displays the final result based on actual monitoring data.
After the rule detects an anomaly, you can view related event content in Events > Event Details.
Event Fields¶
The final event record will include the following fields:
Field |
Description |
|---|---|
date / timestamp |
Generation time. Unit in seconds |
df_date_range |
Time range. Unit in seconds |
df_check_range_start |
Start time of the detection range. Unit in seconds |
df_check_range_end |
End time of the detection range. Unit in seconds |
df_issue_start_time |
Time of the first failure occurrence in this round. Unit in seconds |
df_issue_duration |
Duration of the failure in this round, unit in seconds (from df_issue_start_time to this event) |
df_source |
Event source. Includes monitor, user, system, custom, audit |
df_status |
Event status. Includes ok, info, warning, error, critical, nodata, nodata_ok, nodata_as_ok, manual_ok |
df_sub_status |
Event detail status (as a supplement to df_status) |
df_event_id |
Unique event ID |
df_title |
Title |
df_message |
Description |
- When
df_source = monitor, additional fields exist:
Field |
Description |
|---|---|
df_dimension_tags |
Detection dimension tags, e.g., {"host":"web01"} |
df_monitor_id |
Alert strategy ID |
df_monitor_name |
Alert strategy name |
df_monitor_type |
Type: Custom monitoring events are custom, SLO events are slo, Intelligent Inspection events are fixed as bot_obs |
df_monitor_checker |
Execution function name, e.g., custom_metric |
df_monitor_checker_sub |
Detection phase: If generated during the data interruption detection phase, it's nodata; if generated during the normal detection phase, it's check |
df_monitor_checker_id |
Monitor ID |
df_monitor_checker_name |
Monitor name |
df_monitor_checker_value |
Abnormal value at the time of event generation |
df_monitor_checker_value_dumps |
Abnormal value at the time of event generation (JSON serialized) Convenient for obtaining original values via deserialization |
df_monitor_checker_value_with_unit |
Abnormal value at the time of event generation (optimal unit) |
df_monitor_checker_ref |
Monitor association, only associated with fields linked to the DQL statement in the detection configuration |
df_monitor_checker_event_ref |
Monitor event association, only associated with fields linked to df_dimension_tags and df_monitor_checker_id |
df_monitor_ref_key |
Self-built inspection association key, used to correspond with self-built inspections |
df_fault_id |
Failure ID for this round, taken from the df_event_id of the first failure event |
df_fault_status |
Failure status for this round, redundant field for df_status and df_sub_status, marking whether it is OK, with the following values:ok: Normal fault: Fault |
df_fault_start_time |
Start time of the failure for this round. |
df_fault_duration |
Duration of the failure for this round, unit in seconds (from df_issue_start_time to this event) |
df_event_detail |
Event detection details |
df_event_report |
Intelligent monitoring report data |
df_user_id |
Operator user ID when manually recovered |
df_user_name |
Operator username when manually recovered |
df_user_email |
Operator user email when manually recovered |
df_crontab_exec_mode |
Execution mode, optional values.crontabmanual |
df_site_name |
Current Guance site name |
df_workspace_name |
Workspace name belonging to |
df_workspace_uuid |
Workspace UUID belonging to |
df_label |
Monitor label, labels specified in the monitor are stored in this field UUID |
df_alert_policy_ids |
Alert policy IDs (list) |
df_alert_policy_names |
Alert policy names (list) |
df_matched_alert_policy_rules |
Alert policy names and all matching rule names (list) |
df_channels |
List of channels for Incident associated with the event |
df_at_accounts |
@Account information |
df_at_accounts_nodata |
@Account information (data interruption) |
df_message_at_accounts |
Detailed information list of @users in fault alert messages |
df_nodata_message_at_accounts |
Detailed information list of @users in data interruption alert messages |
df_workspace_declaration |
Attribute Claims of the workspace |
df_matched_alert_members |
List of all matching alert notification member information when sending by members |
df_matched_alert_upgrade_members |
List of all matching alert upgrade notification member information when sending by members |
df_matched_alert_member_groups |
List of all matching member group names when sending by members |
df_charts |
Chart information appended when charts are added in the monitor configuration and this alert event requires sending a message |
df_alert_info |
Recorded alert notification information |
df_is_silent |
Whether the event is muted, with values as strings "true" / "false" |
df_sent_target_types |
List of unique alert notification object types sent for this event |
- When
df_source = audit, additional fields exist:
| Field | Description |
|---|---|
df_user_id |
Operator user ID |
df_user_name |
Operator username |
df_user_email |
Operator user email |
| {Other Fields} | Other fields based on specific audit data needs |
- When
df_source = user, additional fields exist:
| Field | Description |
|---|---|
df_user_id |
Creator user ID |
df_user_name |
Creator username |
df_user_email |
Creator user email |
| {Other Fields} | Other fields generated based on user actions |