Skip to content

Range Detection


Within the selected time range, the system will perform anomaly detection on metric data. If the proportion of mutation anomalies in the detected data points exceeds the preset threshold percentage, a range anomaly event will be triggered.

Use Cases

Applied to monitor trend-stable data/metrics. For example, detect when the percentage of host CPU usage mutation anomalies in the last 1 day exceeds 10%, generating an anomaly event.

Detection Configuration

Detection Frequency

The execution frequency of the detection rule, automatically matched to the selected detection range.

Detection Range

The time range for querying metrics each time the task is executed.

Detection Range (Dropdown Options) Detection Frequency
15m 5m
30m 5m
1h 15m
4h 30m
12h 1h
1d 1h

Detection Metrics

Monitored metric data.

Field Description
Data Type The current type of data being detected, including Metrics, Logs, Infrastructure, Resource Catalogs, Events, APM, RUM, Security Checks, Networks, and Profile.
Measurement The measurement set where the current detection metric resides.
Metrics The specific metric currently being detected.
Aggregation Algorithm Includes Avg by (take average), Min by (take minimum), Max by (take maximum), Sum by (sum up), Last (take the last value), First by (take the first value), Count by (take the number of data points), Count_distinct by (take the number of non-repeating data points), p50 (take the median value), p75 (take the value at the 75% position), p90 (take the value at the 90% position), p99 (take the value at the 99% position).
Detection Dimensions Any string type (keyword) field in the configured data can be selected as a detection dimension. Currently, up to three fields can be selected for detection dimensions. By combining multiple detection dimension fields, a specific detection object can be determined. The system will determine whether the statistical metrics corresponding to a detection object meet the threshold conditions for triggering events. If the conditions are met, an event will be generated.
* (For example, selecting the detection dimensions host and host_ip would make the detection object {host: host1, host_ip: 127.0.0.1}). *
Filter Conditions Filters the data of the detection metrics based on metric tags, limiting the scope of the detected data; supports adding one or more tag filters; supports fuzzy matching and non-matching filter conditions.
Alias Customize the name of the detection metric.
Query Method Supports simple queries and expression queries.

Trigger Conditions

Set the trigger conditions for alert levels: You can configure any one of the emergency, critical, warning, or normal trigger conditions. Supports three forms of data comparison: upward (data increase), downward (data decrease), upward or downward.

Configure trigger conditions and severity levels. When the query results contain multiple values, if any value meets the trigger condition, an event will be generated.

For more details, refer to Event Level Description.

Alert Levels
  1. Alert Levels Emergency (red), Critical (orange), Warning (yellow): Based on the judgment operator configured in the conditions.

  2. Alert Level Normal (green): Based on the configured detection count, as follows:

    • Each execution of a detection task counts as 1 detection, such as Detection Frequency = 5 minutes, then 1 detection = 5 minutes;
    • You can customize the detection count, such as Detection Frequency = 5 minutes, then 3 detections = 15 minutes.
    Level Description
    Normal After the detection rule takes effect, if urgent, critical, or warning anomaly events occur, and within the configured custom detection count, the data detection results return to normal, then a recovery alert event will be generated.
    ⚠ Recovery alert events are not subject to alert mute restrictions. If no recovery alert event detection count is set, the alert event will not recover and will remain in the Events > Unrecovered Events List.

Data Gaps

You can configure seven strategies for data gap states.

  1. Link with the detection range time period to judge the query results of the most recent minutes for the detection metric, do not trigger an event;

  2. Link with the detection range time period to judge the query results of the most recent minutes for the detection metric, treat query results as 0; at this point, the query results will be compared again with the thresholds configured in the trigger conditions above to determine whether to trigger an anomaly event.

  3. Custom fill the detection range value, trigger data gap events, trigger urgent events, trigger critical events, trigger warning events, and trigger recovery events; if choosing this type of configuration strategy, it is recommended that the custom data gap time configuration be >= detection range time interval. If the configured time <= the detection range time interval, there may be simultaneous satisfaction of data gaps and anomalies, in which case only the data gap handling result will be applied.

Information Generation

After enabling this option, detection results that do not match the above trigger conditions will generate "information" events and be written into the log.

Note

If both trigger conditions, data gaps, and information generation are configured simultaneously, the following priority order applies for triggering: data gaps > trigger conditions > information event generation.

Other Configurations

For more details, refer to Rule Configuration.

Feedback

Is this page helpful? ×