Interval Detection V2¶
The V2 version of interval detection utilizes historical data to construct confidence intervals, predicting normal fluctuation ranges. The system compares current data characteristics with historical data to determine if they exceed the confidence interval, thereby identifying anomalies and triggering alerts to ensure data stability and security.
Key Features:
- In-depth Analysis: Predicts normal fluctuations based on historical data to construct confidence intervals;
- Continuous Updates: Continuously updated by the Guance algorithm team to enhance data processing capabilities.
Concepts¶
Confidence Interval Range (confidence_interval): A metric that measures the tolerance of time series data fluctuations within a specific detection range, with values between 1% and 100%. When data exhibits high volatility and randomness, this value can be appropriately increased; when data shows regular patterns, this value can be decreased. An excessively large confidence interval widens the upper and lower boundaries, reducing the number of detected anomalies; an excessively small confidence interval may detect too many anomalies; an excessively large confidence interval may fail to detect any anomalies.
Therefore, adjusting this parameter reasonably based on the fluctuation characteristics of the data is crucial for balancing the sensitivity and accuracy of anomaly detection, effectively avoiding excessive false positives or missed anomalies.
Illustration:
Detection Configuration¶
Detection Frequency¶
The execution frequency of the detection rule, defaulting to 10 minutes, cannot be changed.
Detection Metrics¶
The metrics being monitored.
| Field | Description |
|---|---|
| Data Type | The type of data currently being detected, including Metrics, APM, and RUM data. |
| Measurement | The measurement to which the current detection metric belongs. |
| Metric | The metric targeted by the current detection. |
| Aggregation Algorithm | Includes Avg by (average), Min by (minimum), Max by (maximum), Sum by (sum), Last (last value), First by (first value), Count by (data point count), Count_distinct by (unique data point count), p50 (median), p75 (75th percentile), p90 (90th percentile), p99 (99th percentile). |
| Detection Dimension | Any string-type (keyword) field in the configuration data can be selected as a detection dimension, with a maximum of three fields currently supported. By combining multiple detection dimension fields, a specific detection object can be determined, and Guance will judge whether the statistical metrics of a detection object meet the threshold of the trigger condition. If the condition is met, an event is generated.For example, selecting detection dimensions host and host_ip, the detection object can be {host: host1, host_ip: 127.0.0.1} |
| Filter Conditions | Filters the data of the detection metrics based on the tags of the metrics, limiting the data scope of the detection; one or more tag filters can be added; supports fuzzy matching and fuzzy non-matching filter conditions. |
| Alias | Custom name for the detection metric. |
| Query Method | Supports simple queries and expression queries. |
Cross-Workspace Query Metrics¶
After authorization, detection metrics from other workspaces under the current account can be selected. Once the monitor rule is successfully created, cross-workspace alert configurations can be implemented.
Note
After selecting another workspace, the detection metric dropdown options will only display data types that have been authorized in the current workspace.
Trigger Conditions¶
Set the trigger conditions for alert levels: You can configure any one of the trigger conditions for emergency, important, warning, or normal. Supports three forms of data comparison: upward (data increase), downward (data decrease), and upward or downward.
Configure trigger conditions and severity. When the query result is multiple values, an event is generated if any value meets the trigger condition.
For more details, refer to Event Level Description.
Alert Levels
-
Emergency (red), Important (orange), Warning (yellow) Alert Levels: Based on the configured condition judgment operators.
-
Normal (green) Alert Level: Based on the configured detection count, explained as follows:
- Each execution of a detection task counts as 1 detection, e.g.,
detection frequency = 5 minutes, then 1 detection = 5 minutes; - The detection count can be customized, e.g.,
detection frequency = 5 minutes, then 3 detections = 15 minutes.
Level Description Normal After the detection rule takes effect, if emergency, important, or warning anomaly events are generated, and the data detection result returns to normal within the configured custom detection count, a recovery alert event is generated.
Recovery alert events are not subject to Alert Silence restrictions. If the recovery alert event detection count is not set, the alert event will not recover and will remain in the Events > Unrecovered Events List. - Each execution of a detection task counts as 1 detection, e.g.,
Data Gap¶
For data gap states, seven strategies can be configured.
-
Link to the detection interval time range, judge the query result of the most recent minutes of the detection metric, do not trigger events;
-
Link to the detection interval time range, judge the query result of the most recent minutes of the detection metric, treat the query result as 0; the query result will then be re-compared with the threshold configured in the Trigger Conditions above to determine whether to trigger an anomaly event.
-
Custom fill the detection interval value, trigger data gap events, trigger emergency events, trigger important events, trigger warning events, and trigger recovery events; for this configuration strategy, the custom data gap time configuration is recommended to be >= detection interval time interval. If the configured time <= detection interval time interval, there may be cases where both data gap and anomaly conditions are met, in which case only the data gap processing result will be applied.
Information Generation¶
Enable this option to generate "information" events for detection results that do not match the above trigger conditions.
Note
If trigger conditions, data gap, and information generation are configured simultaneously, the triggering priority is as follows: data gap > trigger conditions > information event generation.
Other Configurations¶
For more details, refer to Rule Configuration.