Interval Anomaly Detection¶
Within the selected time range, the system performs anomaly detection on metric data. If the proportion of mutation anomalies in the detected data points exceeds the preset threshold percentage, an interval anomaly event is triggered.
Use Cases¶
Applied to monitor data/metrics with stable trends. For example, detecting when the proportion of mutation anomaly data points for host CPU usage in the last 1 day exceeds 10%, generating an anomaly event.
Configuration¶
Detection Frequency¶
The execution frequency of the detection rule, automatically matching the selected detection interval.
Detection Interval¶
The time range for querying metrics each time the task is executed.
| Detection Interval (Dropdown Options) | Detection Frequency |
|---|---|
| 15m | 5m |
| 30m | 5m |
| 1h | 15m |
| 4h | 30m |
| 12h | 1h |
| 1d | 1h |
Detection Metrics¶
The metric data being monitored.
| Field | Description |
|---|---|
| Data Type | The data type currently being detected, including Metrics, LOG, Infrastructure, Resource Catalog, Events, APM, RUM, Network, and Profile. |
| Measurement | The measurement where the current detection metric resides. |
| Metric | The specific metric targeted by the current detection. |
| Aggregation Algorithm | Includes Avg by (average), Min by (minimum), Max by (maximum), Sum by (sum), Last (last value), First by (first value), Count by (count of data points), Count_distinct by (count of distinct data points), p50 (median), p75 (75th percentile), p90 (90th percentile), p99 (99th percentile). |
| Detection Dimension | Any string-type (keyword) fields in the configured data can be selected as detection dimensions. Currently, a maximum of three dimension fields are supported. The combination of multiple dimension fields defines a specific detection target. The system determines if the statistical metrics for a detection target meet the trigger condition threshold, and generates an event if the condition is met.(For example, selecting detection dimensions host and host_ip defines a detection target like {host: host1, host_ip: 127.0.0.1}). |
| Filter Conditions | Filters the data for the detection metrics based on metric tags, limiting the data scope; supports adding one or multiple tag filters; supports fuzzy match and fuzzy not-match filter conditions. |
| Alias | Custom name for the detection metric. |
| Query Method | Supports Simple Query and Expression Query. |
Cross-Workspace Query Metrics¶
After authorization, detection metrics from other workspaces under the current account can be selected. Once the monitor rule is successfully created, cross-workspace alert configuration is achieved.
Note
After selecting another workspace, the detection metric dropdown only displays data types that the current workspace has been authorized to access.
Trigger Conditions¶
Set the trigger conditions for alert severity levels: You can configure any one of Urgent, Important, Warning, or Normal trigger conditions. Supports three forms of data comparison: Up (data increase), Down (data decrease), and Up or Down.
Configure trigger conditions and severity. When the query result contains multiple values, an event is generated if any value meets the trigger condition.
For more details, refer to Event Level Description.
Bulk Alert Protection¶
Enabled by default.
When the number of alerts generated in a single detection exceeds a preset threshold, the system automatically switches to a status aggregation strategy: instead of processing each alert object individually, it generates a small number of summary alerts based on event status and pushes them.
This ensures timely notification while significantly reducing alert noise and avoiding timeout risks caused by processing too many alerts.
Note
When this switch is enabled, the Event Details for such events generated after subsequent monitor detections will not display history records or associated events.
Alert Severity¶
-
Alert Severity Urgent (red), Important (orange), Warning (yellow);
-
Alert Severity Normal (green): Based on the configured number of detection times, explained as follows:
-
Each execution of a detection task counts as 1 detection. For example, if
Detection Frequency = 5 minutes, then 1 detection = 5 minutes. -
The number of detections can be customized. For example, if
Detection Frequency = 5 minutes, then 3 detections = 15 minutes.
Level Description Normal After the detection rule takes effect, if an Urgent, Important, or Warning anomaly event occurs, and the data detection result returns to normal within the configured custom number of detection times, a recovery alert event is generated.
❗️ Recovery alert events are not subject to Alert Mute restrictions. If the number of detections for recovery alert events is not set, the alert event will not recover and will remain in the Events > Unrecovered Events List. -
Data Gap¶
Seven strategies can be configured for data gap status.
-
Linked to the detection interval time range, judges the query result for the most recent minutes of the detection metric, does not trigger an event;
-
Linked to the detection interval time range, judges the query result for the most recent minutes of the detection metric, the query result is treated as 0; the query result is then re-compared with the threshold configured in the Trigger Conditions above to determine whether to trigger an anomaly event.
-
Custom fill value for the detection interval, trigger a data gap event, trigger an urgent event, trigger an important event, trigger a warning event, and trigger a recovery event; for this type of configuration strategy, the recommended custom data gap time configuration is >= the detection interval time span. If the configured time is <= the detection interval time span, situations where both data gap and anomaly conditions are met may occur. In such cases, only the data gap handling result will be applied.
Information Generation¶
Enable this option to generate "Information" events for detection results that do not match any of the above trigger conditions and write them.
Note
If Trigger Conditions, Data Gap, and Information Generation are configured simultaneously, the triggering priority is judged as follows: Data Gap > Trigger Conditions > Information Event Generation.
Other Configuration¶
For more details, refer to Rule Configuration.