Interval Detection V2¶
The V2 version of interval detection establishes a confidence interval based on the historical data of the current detection metrics to predict the normal fluctuation range. The Guance system compares the data characteristics of the current time period with historical data to check if the data exceeds the predetermined confidence interval. If a data point exceeds this range, the system will determine it as an anomaly and may trigger an alert; if the data point is within the normal range, the system will continue monitoring to ensure the stability and security of real-time data.
Key features:
- In-depth analysis: Establishes a confidence interval based on the historical data of the detection metrics to predict the normal fluctuation range.
- Continuous updates: Continuously updated by the Guance algorithm team to provide more data processing capabilities.
Concepts¶
Confidence interval range (confidence_interval): A metric used to define the tolerance for the upper and lower bounds of the confidence interval for time series data within a specific detection range. The parameter value ranges from 1% to 100%. For data with large fluctuations and strong randomness, a larger tolerance value can be appropriately chosen; conversely, for data with relatively regular fluctuations, the tolerance range can be correspondingly reduced.
Setting a larger confidence interval range results in wider upper and lower boundaries, thereby reducing the number of detected anomalies. If the confidence interval is set too small, it may detect a large number of anomalies. And if the confidence interval is set too large, it may fail to detect any anomalies. Therefore, setting the confidence_interval parameter reasonably according to the different characteristics of the data is crucial. Correct parameter settings ensure that important anomaly signals are not missed, and the system does not become overly sensitive to normal fluctuations in the data.
Illustration:
Detection Configuration¶
Detection Frequency¶
The execution frequency of the detection rule, default is 10 minutes, cannot be changed.
Detection Metrics¶
The monitored metrics data.
| Field | Description |
|---|---|
| Data Type | The data type currently being detected, supports only metrics data. |
| Measurement | The measurement set where the current detection metrics reside. |
| Metrics | The metrics targeted by the current detection. |
| Aggregation Algorithm | Includes Avg by (average), Min by (minimum), Max by (maximum), Sum by (sum), Last (last value), First by (first value), Count by (number of data points), Count_distinct by (number of non-repeating data points), p50 (median value), p75 (value at 75% position), p90 (value at 90% position), p99 (value at 99% position). |
| Detection Dimensions | Any string type (keyword) fields in the configured data can be selected as detection dimensions, currently supporting up to three fields. By combining multiple detection dimension fields, a specific detection object can be determined. Guance will evaluate whether the statistical metrics corresponding to a detection object meet the threshold conditions, and if they do, events will be generated.For example, selecting detection dimensions host and host_ip, the detection object could be {host: host1, host_ip: 127.0.0.1}. |
| Filtering Conditions | Filters the data of the detection metrics based on the labels of the metrics, limiting the scope of the detection data; one or more label filters can be added; supports fuzzy matching and fuzzy mismatching filter conditions. |
| Alias | Custom name for the detection metrics. |
| Query Method | Supports simple queries and expression-based queries. |
Trigger Conditions¶
Set the trigger conditions for alarm levels: You can configure any one of the emergency, critical, warning, or normal trigger conditions. Supports upward (data increase), downward (data decrease), or both upward and downward forms of data comparison.
Configure trigger conditions and severity levels, when the query result contains multiple values, any value meeting the trigger condition will generate an event.
For more details, refer to Event Level Description.
Alarm Levels
-
Alarm Levels Emergency (red), Critical (orange), Warning (yellow): Based on evaluating the configured conditions using operators.
-
Alarm Level Normal (green): Based on the configured number of detections, explained as follows:
- Each execution of a detection task counts as 1 detection, e.g.,
Detection Frequency = 5 minutes, then 1 detection = 5 minutes; - You can customize the number of detections, e.g.,
Detection Frequency = 5 minutes, then 3 detections = 15 minutes.
Level Description Normal After the detection rule takes effect, if urgent, critical, or warning abnormal events occur, and the data detection results return to normal within the configured custom number of detections, then a recovery alarm event is generated.
Recovery alarm events are not restricted by Alert Mute. If no recovery alarm event detection count is set, the alarm event will not recover and will remain in the Events > Unrecovered Events List. - Each execution of a detection task counts as 1 detection, e.g.,
Data Gaps¶
For data gap states, seven strategies can be configured.
-
Link to the detection interval time range, judge the query results of the most recent minutes of the detection metrics, do not trigger events;
-
Link to the detection interval time range, judge the query results of the most recent minutes of the detection metrics, treat query results as 0; at this point, the query results will be re-compared with the thresholds configured in the Trigger Conditions section above to determine whether to trigger an anomaly event.
-
Customize filling the detection interval value, trigger data gap events, trigger urgent events, trigger critical events, trigger warning events, and trigger recovery events; if this configuration strategy is chosen, the custom data gap time configuration should be >= detection interval time. If the configured time <= the detection interval time, there may be simultaneous satisfaction of data gaps and anomalies; in such cases, only the data gap handling results will be applied.
Information Generation¶
After enabling this option, the detection results that do not match the above trigger conditions will generate “information” events and write them.
Note
If trigger conditions, data gaps, and information generation are configured simultaneously, the following priority applies: data gaps > trigger conditions > information event generation.
Other Configurations¶
For more details, refer to Rule Configuration.