Interval Detection¶
Within the selected time range, the system will perform anomaly detection on metric data. If the proportion of mutation anomalies in the detected data points exceeds the preset threshold percentage, an interval anomaly event will be triggered.
Use Cases¶
Used for monitoring trend-stable data/metrics. For example, detecting when the proportion of anomalous data points due to sudden changes in host CPU usage over the past 1 day exceeds 10%, generating an anomaly event.
Detection Configuration¶
Detection Frequency¶
The execution frequency of the detection rule, automatically matched to the selected detection interval.
Detection Interval¶
The time range for querying metrics each time the task is executed.
| Detection Interval (Dropdown Options) | Detection Frequency |
|---|---|
| 15m | 5m |
| 30m | 5m |
| 1h | 15m |
| 4h | 30m |
| 12h | 1h |
| 1d | 1h |
Detection Metrics¶
Monitored metric data.
| Field | Description |
|---|---|
| Data Type | The current data type being detected, including metrics, logs, infrastructure, resource catalog, events, APM, RUM, security checks, network, and Profile. |
| Measurement | The measurement set where the current detection metric resides. |
| Metric | The specific metric currently being detected. |
| Aggregation Algorithm | Includes Avg by (average value), Min by (minimum value), Max by (maximum value), Sum by (sum), Last (last value), First by (first value), Count by (number of data points), Count_distinct by (number of non-repeating data points), p50 (median value), p75 (value at 75% position), p90 (value at 90% position), p99 (value at 99% position). |
| Detection Dimensions | Any string type (keyword) field in the configured data can be selected as a detection dimension. Currently, up to three fields can be selected as detection dimensions. By combining multiple detection dimension fields, a specific detection object can be determined. The system will determine whether the statistical metrics corresponding to a detection object meet the threshold conditions for triggering an event.* (For example, selecting detection dimensions host and host_ip would make the detection object {host: host1, host_ip: 127.0.0.1}).* |
| Filter Conditions | Filters data of the detection metric based on metric labels, limiting the scope of the detected data; supports adding one or more label filters; supports fuzzy matching and non-matching filter conditions. |
| Alias | Custom name for the detection metric. |
| Query Method | Supports simple queries and expression-based queries. |
Trigger Conditions¶
Set trigger conditions for alert levels: You can configure any one of the critical, major, minor, or normal trigger conditions. Supports three forms of data comparison: upward (data increase), downward (data decrease), or both upward and downward.
Configure trigger conditions and severity levels. When the query results return multiple values, an event will be generated if any value meets the trigger condition.
For more details, refer to Event Level Description.
Alert Levels
-
Critical Alert Level (Red), Major Alert Level (Orange), Minor Alert Level (Yellow): Based on configured conditional operators.
-
Normal Alert Level (Green): Based on the configured number of detections, explained as follows:
- Each execution of a detection task counts as 1 detection, e.g.,
Detection Frequency = 5 minutes, so 1 detection = 5 minutes; - You can customize the number of detections, e.g.,
Detection Frequency = 5 minutes, so 3 detections = 15 minutes.
Level Description Normal After the detection rule takes effect, if urgent, major, or minor anomaly events are generated, and within the configured custom number of detections, the data detection results return to normal, then a recovery alert event will be generated.
Recovery alert events are not subject to Alert Mute restrictions. If no recovery alert event detection count is set, the alert event will not recover and will remain in the Events > Unrecovered Events List. - Each execution of a detection task counts as 1 detection, e.g.,
Data Gaps¶
Seven strategies can be configured for data gap states.
-
Linked to the detection interval time range, judge the query result of the most recent minutes of the detection metric, do not trigger events;
-
Linked to the detection interval time range, judge the query result of the most recent minutes of the detection metric, treat the query result as 0; at this point, the query result will be recompared with the thresholds configured in the trigger conditions, thus determining whether to trigger an anomaly event.
-
Customize the filled detection interval value, trigger data gap events, trigger critical events, trigger major events, trigger minor events, and trigger recovery events; if this type of configuration strategy is chosen, it is recommended that the custom data gap time configuration be >= detection interval time. If the configured time <= detection interval time, there may be simultaneous satisfaction of data gaps and anomalies. In such cases, only the data gap processing result will be applied.
Information Generation¶
After enabling this option, detection results that do not match the above trigger conditions will generate "information" events and be written into the system.
Note
If trigger conditions, data gaps, and information generation are configured simultaneously, the following priority applies: data gaps > trigger conditions > information event generation.
Other Configurations¶
For more details, refer to Rule Configuration.