Composite Detection¶
In addition to setting different detection rules based on different data scopes, you can also combine the results of multiple monitors through expressions into a single monitor, ultimately triggering alerts based on the combined result.
Detection Frequency¶
Composite monitoring does not have a fixed detection frequency. Instead, it makes judgments based on the event status of the selected monitors. Since the detection frequencies of individual monitors may vary, the largest detection frequency among them is used for synchronized judgment.
For example: Monitor A has a detection frequency (5 minutes), Monitor B has a detection frequency (1 hour). Then the composite monitor A&&B follows B for judgment (once per hour). After B triggers a detection, a logical judgment is made by combining the detection result of Monitor B with the latest detection result of Monitor A.
Detection Configuration¶
-
Please select at least two monitors; their by-condition groupings will be displayed on the right. A maximum of 10 monitors can be added.
-
Combination Method: Define whether the composite monitor triggers an event by following the logical expression rules of AND, OR, NOT. When all selected monitors trigger an abnormal state, it is parsed as True; otherwise, it is parsed as False.
Logical Operations¶
When a selected monitor is in an abnormal state, it is parsed as True, specifically as follows:
| Event Status | Parsed Result | Severity Level |
|---|---|---|
critical |
True | 4 |
error |
True | 3 |
warning |
True | 2 |
nodata |
True | 1 |
ok |
False | 0 |
info |
False | 0 |
| Not triggering an event is considered normal and is also parsed as False |
Operator Details¶
| Logical Operation | Explanation |
|---|---|
&& AND |
A&&B: If the operation result is true, it returns the less severe state level between A and B. For example: A=critical, B=warning, then returns warning. |
|| OR |
A||B: If the operation result is true, it returns the more severe state level between A and B. For example: A=critical, B=warning, then returns critical. |
! NOT |
The NOT of an "abnormal state" corresponds to ok; the NOT of a "normal state" corresponds to critical. For example: If A=error, then !A=ok; if A=ok, then !A=critical. |
How to define [True]?
Based on the selected monitors, if groupings exist within the monitors, it will only be parsed as "True" when the common groupings of all monitors are all in an abnormal state.
For example: When Monitor A (hosts 1, 2, 3, 4 generate alerts) and Monitor B (hosts 2, 3, 5, 6 generate alerts) are selected, then the composite monitor (A&&B) will only return "True" for hosts 2 and 3, generating alerts.
Note
When the groupings in the combination method are inconsistent across monitors, no alerts will be generated for cases without common groupings.
| Grouping Situation | Consistent? |
Example |
|---|---|---|
| Monitor A has no grouping, Monitor B has grouping | No(No alert will be generated) | B: by host |
| Partial consistency between groupings of Monitor A and B | No(No alert will be generated) | A: by host, service, B: by host, device |
| Completely inconsistent groupings between Monitor A and B | No(No alert will be generated) | A: by host, B: by service |
| Groupings of Monitor A and B have an inclusion relationship | Yes(Normal detection and alerting can occur) | A: by host, B: by host, device (dimension_tags=host) |
| Groupings of Monitor A are included in Monitor B, groupings of Monitor B are included in Monitor C | Yes(Normal detection and alerting can occur) | A: by host, B: by host, device, C: by host, device, os (dimension_tags=host) |
Example:
Select Monitor A: by host; Monitor B: by host, device. The intersection host is taken as the final dimension_tags. Monitor A is judged normally. For Monitor B, the most severe state among all devices of the host is taken as its status, for example:
Other Configuration¶
For more details, please refer to Rule Configuration.
FAQ¶
If the BY configuration does not comply with the rules, can the monitor be configured successfully?
It can be created successfully even if it does not comply with the specifications, but it will not generate alerts.
If a composite monitor is configured, will the original monitors monitor normally?
They will alert normally; the monitors being combined are not affected in any way.
How are task calls calculated for composite monitoring?
It is also counted as 1 task call per detection. The detection frequency is consistent with the largest detection frequency among the combined monitors.