Composite Detection¶
Current Document Location
This document is the second step in the detection rule configuration process. After configuration, please return to the main document to continue with the third step: Event Notification.
Data Scope: All (based on the results of the combined monitors for logical operations)
Combine the results of multiple monitors into a single monitor through an expression, and ultimately trigger alerts based on the combined result. Suitable for complex scenarios such as multi-condition joint judgment and dependency detection.
Detection Configuration¶
Detection Frequency¶
Composite monitoring does not have a fixed detection frequency. Instead, it makes judgments based on the event status of the selected monitors. Since the detection frequencies of individual monitors may differ, the system selects the largest detection frequency among them to perform judgments at the same interval.
Example: Monitor A detection frequency (5 minutes), Monitor B detection frequency (1 hour). Then the composite monitor A&&B follows B's frequency for judgment (once per hour). After B triggers detection, a logical judgment is made by combining the detection result of monitor B with the latest detection result of monitor A.
Detection Metrics¶
Select Monitors¶
Select at least two monitors as the combination objects. The system will automatically assign identifiers (A, B, C...) for reference in subsequent logical expressions.
| Configuration Item | Description |
|---|---|
| Monitor A/B/C... | Select already created monitors as combination objects. Their by-condition groupings will be displayed on the right. |
| Add Monitor | Click to add more monitors, supporting up to 10. |
Note
If a monitor's BY configuration does not comply with the rules (e.g., grouping dimensions have no intersection), the monitor can be created successfully, but it will not generate alerts.
Combination Method¶
Define whether the composite monitor triggers an event through logical expressions "AND, OR, NOT". When all selected monitors are in an abnormal state, it resolves to true (true); otherwise, it resolves to false (false).
1. Supported Operators
| Operator | Description | Example |
|---|---|---|
&& |
AND | A && B: Both A and B are in an abnormal state. |
\|\| |
OR | A \|\| B: Either A or B is in an abnormal state. |
! |
NOT | !C: C is not in an abnormal state. |
2. Complex Expressions
Supports combined usage, such as A && B || !C.
Detailed Explanation of Logical Operations¶
How to Define "True" (true)¶
Based on the selected monitors, if grouping exists within the monitors, then it resolves to "true" (true) only when all common groups across all monitors are in an abnormal state.
Example: Monitor A is selected (hosts 1, 2, 3, 4 trigger alerts) and Monitor B is selected (hosts 2, 3, 5, 6 trigger alerts). Then the composite monitor (A&&B) will only return "true" (true) for hosts 2 and 3, generating alerts.
Handling Inconsistent Grouping¶
When the monitors in the combination method have inconsistent grouping, the system takes the intersection of the grouping dimensions as the final dimension_tags.
Example: Select Monitor A: by host; Monitor B: by host, device.
In this case, the intersection host is taken as the final dimension. Monitor A can be judged normally. For Monitor B, the most severe level among all devices for that host is taken as the host's state:
| Monitor B Original State | Aggregated State (by host) |
|---|---|
| Host a, device1: error Host a, device2: critical Host a, device3: ok |
Host a: critical (take the most severe) |
| Host b, device4: error Host b, device5: info |
Host b: error (take the most severe) |
No Common Grouping Scenario: If the monitor groupings have no intersection (e.g., A by host, B by pod), no alerts will be generated.
Next Steps¶
After completing the above detection configuration, please continue to configure:
- Event Notification: Define event title, content, notification members, data gap handling, and associated incidents.
- Alert Configuration: Select alert strategies, set notification targets, and mute periods.
- Association: Associate dashboards for quick navigation to view data.
- Permissions: Set operation permissions to control who can edit/delete this monitor.
FAQ¶
Will the original monitors being combined continue to monitor normally?
Yes. The monitors being combined are not affected in any way and continue to operate and alert independently according to their own configurations.
How are task calls calculated for composite monitoring?
One detection counts as 1 task call. The detection frequency is consistent with the largest detection frequency among the combined monitors.