Range Detection¶
Within the selected time range, the system will perform anomaly detection on metric data. If the proportion of mutation anomalies in the detected data points exceeds the preset threshold percentage, a range anomaly event will be triggered.
Use Cases¶
Applied to monitor trend-stable data/metrics. For example, detect when the percentage of host CPU usage mutation anomalies in the last 1 day exceeds 10%, generating an anomaly event.
Detection Configuration¶
Detection Frequency¶
The execution frequency of the detection rule, automatically matched to the selected detection range.
Detection Range¶
The time range for querying metrics each time the task is executed.
| Detection Range (Dropdown Options) | Detection Frequency |
|---|---|
| 15m | 5m |
| 30m | 5m |
| 1h | 15m |
| 4h | 30m |
| 12h | 1h |
| 1d | 1h |
Detection Metrics¶
Monitored metric data.
| Field | Description |
|---|---|
| Data Type | The current type of data being detected, including Metrics, Logs, Infrastructure, Resource Catalogs, Events, APM, RUM, Security Checks, Networks, and Profile. |
| Measurement | The measurement set where the current detection metric resides. |
| Metrics | The specific metric currently being detected. |
| Aggregation Algorithm | Includes Avg by (take average), Min by (take minimum), Max by (take maximum), Sum by (sum up), Last (take the last value), First by (take the first value), Count by (take the number of data points), Count_distinct by (take the number of non-repeating data points), p50 (take the median value), p75 (take the value at the 75% position), p90 (take the value at the 90% position), p99 (take the value at the 99% position). |
| Detection Dimensions | Any string type (keyword) field in the configured data can be selected as a detection dimension. Currently, up to three fields can be selected for detection dimensions. By combining multiple detection dimension fields, a specific detection object can be determined. The system will determine whether the statistical metrics corresponding to a detection object meet the threshold conditions for triggering events. If the conditions are met, an event will be generated.* (For example, selecting the detection dimensions host and host_ip would make the detection object {host: host1, host_ip: 127.0.0.1}). * |
| Filter Conditions | Filters the data of the detection metrics based on metric tags, limiting the scope of the detected data; supports adding one or more tag filters; supports fuzzy matching and non-matching filter conditions. |
| Alias | Customize the name of the detection metric. |
| Query Method | Supports simple queries and expression queries. |
Trigger Conditions¶
Set the trigger conditions for alert levels: You can configure any one of the emergency, critical, warning, or normal trigger conditions. Supports three forms of data comparison: upward (data increase), downward (data decrease), upward or downward.
Configure trigger conditions and severity levels. When the query results contain multiple values, if any value meets the trigger condition, an event will be generated.
For more details, refer to Event Level Description.
Alert Levels
-
Alert Levels Emergency (red), Critical (orange), Warning (yellow): Based on the judgment operator configured in the conditions.
-
Alert Level Normal (green): Based on the configured detection count, as follows:
- Each execution of a detection task counts as 1 detection, such as
Detection Frequency = 5 minutes, then 1 detection = 5 minutes; - You can customize the detection count, such as
Detection Frequency = 5 minutes, then 3 detections = 15 minutes.
Level Description Normal After the detection rule takes effect, if urgent, critical, or warning anomaly events occur, and within the configured custom detection count, the data detection results return to normal, then a recovery alert event will be generated.
Recovery alert events are not subject to alert mute restrictions. If no recovery alert event detection count is set, the alert event will not recover and will remain in the Events > Unrecovered Events List. - Each execution of a detection task counts as 1 detection, such as
Data Gaps¶
You can configure seven strategies for data gap states.
-
Link with the detection range time period to judge the query results of the most recent minutes for the detection metric, do not trigger an event;
-
Link with the detection range time period to judge the query results of the most recent minutes for the detection metric, treat query results as 0; at this point, the query results will be compared again with the thresholds configured in the trigger conditions above to determine whether to trigger an anomaly event.
-
Custom fill the detection range value, trigger data gap events, trigger urgent events, trigger critical events, trigger warning events, and trigger recovery events; if choosing this type of configuration strategy, it is recommended that the custom data gap time configuration be >= detection range time interval. If the configured time <= the detection range time interval, there may be simultaneous satisfaction of data gaps and anomalies, in which case only the data gap handling result will be applied.
Information Generation¶
After enabling this option, detection results that do not match the above trigger conditions will generate "information" events and be written into the log.
Note
If both trigger conditions, data gaps, and information generation are configured simultaneously, the following priority order applies for triggering: data gaps > trigger conditions > information event generation.
Other Configurations¶
For more details, refer to Rule Configuration.