Combined Detection¶
In addition to setting different detection rules based on different data ranges, you can also combine the results of multiple monitors through an expression into one monitor, and ultimately trigger alerts based on the combined results.
Detection Frequency¶
The combined monitoring does not have a fixed detection frequency, but rather makes judgments based on the event states of the selected monitors. Since the detection frequencies of each monitor may not be the same, the highest detection frequency is selected for judgment.
For example: Monitor A has a detection frequency (5 minutes), Monitor B has a detection frequency (1 hour). Therefore, for the combined monitor A&&B, it follows B for judgment (once every hour). After B triggers a detection, it combines the latest detection result from Monitor B with the most recent detection result from Monitor A to perform a logical judgment.
Detection Configuration¶
-
Please select at least two monitors; the right side will display their by condition groups. Up to 10 monitors can be added.
-
Combination Method: Follows the logic expression of AND/OR/NOT to define whether the combined monitor triggers an event. When all selected monitors trigger abnormal states, it resolves as true; otherwise, it resolves as false.
Logical Operations¶
When the selected monitors are in an abnormal state, they resolve as True, specifically as follows:
| Event Status | Resolved As | Severity Level |
|---|---|---|
critical |
True | 4 |
error |
True | 3 |
warning |
True | 2 |
nodata |
True | 1 |
ok |
False | 0 |
info |
False | 0 |
| Events that do not trigger are considered normal, similarly resolving as False |
Operator Details¶
| Logical Operation | Description |
|---|---|
&& AND |
A&&B: If the operation result is true, it returns the less severe status level between A and B. For example: A=critical, B=warning, then return warning. |
|| OR |
A||B: If the operation result is true, it returns the more severe status level between A and B. For example: A=critical, B=warning, then return critical. |
! NOT |
The "abnormal state" corresponding to NOT is always ok; the "normal state" corresponding to NOT is always critical. For example: If A=error, then !A=ok; if A=ok, then !A=critical. |
How to Define [True]?
Based on the selected monitors, if the monitors have groupings, then only when all common groupings of the monitors are in an abnormal state will it resolve as "true".
For example: When selecting Monitor A (hosts 1, 2, 3, 4 generate alerts) and Monitor B (hosts 2, 3, 5, 6 generate alerts), the combined monitor (A&&B) will only return "true" for hosts 2 and 3, generating alerts.
Note
When the monitors in the combination method do not have consistent groupings, such cases without common groupings will not generate alerts.
| Grouping Situation | Consistent? | Example |
|---|---|---|
| Monitor A has no grouping, Monitor B has grouping | No(no alert will be generated) | B: by host |
| Monitors A and B have partially consistent groupings | No(no alert will be generated) | A: by host, service, B: by host, device |
| Monitors A and B have completely inconsistent groupings | No(no alert will be generated) | A: by host, B: by service |
| Monitors A and B have a containment relationship in groupings | Yes(normal detection and alerting can occur) | A: by host, B: by host, device (dimension_tags=host) |
| Monitor A is contained within Monitor B's grouping, Monitor B is contained within Monitor C's grouping | Yes(normal detection and alerting can occur) | A: by host, B: by host, device, C: by host, device, os (dimension_tags=host) |
Example:
Select Monitor A: by host; Monitor B: by host, device. In this case, take the intersection host as the final dimension_tags. Monitor A can judge normally, while Monitor B takes the most severe level of all device under the host as its status, for example:
Other Configurations¶
For more details, please refer to Rule Configuration.
Common Issues¶
If the BY configuration does not meet the rules, can the monitor still be configured successfully?
It can still be created successfully even if it doesn't meet the specifications, but no alerts will be generated.
If a combined monitor is configured, will the original monitor continue to monitor normally?
It will still alert normally; the monitors being combined will not be affected in any way.
How does the combined monitor calculate task calls?
Similarly, each detection counts as 1 task call, with the detection frequency matching the highest detection frequency among the combined monitors.