Interval Detection¶
In the selected time range, the system will perform anomaly detection on Metrics data. If the proportion of mutation anomalies in the detected data points exceeds the preset threshold percentage, an interval anomaly event will be triggered.
Use Cases¶
Applied to monitor data/Metrics with stable trends. For example, detecting that the proportion of abnormal mutation data points in the host CPU usage in the last 1 day exceeds 10%, an anomaly event will be generated.
Configuration¶
Detection Frequency¶
The execution frequency of the detection rule, automatically matching the selected detection interval.
Detection Interval¶
The time range for querying Metrics each time the task is executed.
| Detection Interval (Dropdown Options) | Detection Frequency |
|---|---|
| 15m | 5m |
| 30m | 5m |
| 1h | 15m |
| 4h | 30m |
| 12h | 1h |
| 1d | 1h |
Detection Metrics¶
The Metrics data being monitored.
| Field | Description |
|---|---|
| Data Type | The current data type being detected, including detection Metrics, LOG, infrastructure, Resource Catalog, events, APM, RUM, network, and Profile. |
| Measurement | The Measurement where the current detection Metrics are located. |
| Metric | The Metric targeted by the current detection. |
| Aggregation Algorithm | Includes Avg by (average), Min by (minimum), Max by (maximum), Sum by (sum), Last (last value), First by (first value), Count by (number of data points), Count_distinct by (number of distinct data points), p50 (median), p75 (75th percentile), p90 (90th percentile), p99 (99th percentile). |
| Detection Dimension | Any string type (keyword) field in the configuration data can be selected as a detection dimension. Currently, up to three fields can be selected as detection dimensions. By combining multiple detection dimension fields, a specific detection object can be determined. The system will judge whether the statistical Metrics of a detection object meet the threshold of the trigger condition, and if so, an event will be generated.(For example, selecting detection dimensions host and host_ip, the detection object can be {host: host1, host_ip: 127.0.0.1}). |
| Filter Conditions | Filter the data of the detection Metrics based on the labels of the Metrics, limiting the data range of detection; supports adding one or more label filters; supports fuzzy match and fuzzy not match filter conditions. |
| Alias | Customize the name of the detection Metric. |
| Query Method | Supports simple query and expression query. |
Cross-Workspace Query Metrics¶
After authorization, you can select detection Metrics from other workspaces under the current account. After the monitor rule is successfully created, cross-workspace alert configuration can be achieved.
Note
After selecting another workspace, the detection Metrics dropdown options will only display the data types that have been authorized in the current workspace.
Trigger Conditions¶
Set the trigger conditions for alert levels: You can configure any one of emergency, important, warning, and normal trigger conditions. Supports three forms of data comparison: upward (data increase), downward (data decrease), and upward or downward.
Configure the trigger conditions and severity. When the query result is multiple values, any value that meets the trigger condition will generate an event.
For more details, refer to Event Level Description.
Bulk Alert Protection¶
Enabled by default.
When the number of alerts generated in a single detection exceeds the preset threshold, the system will automatically switch to the status summary strategy: instead of processing each alert object individually, a small number of summary alerts will be generated based on the event status and pushed.
This ensures the timeliness of notifications and significantly reduces alert noise, avoiding the risk of timeout due to processing too many alerts.
Note
When this switch is enabled, the Event Details of such events generated by subsequent monitor detections will not display historical records and related events.
Alert Levels¶
-
Alert Levels Emergency (red), Important (orange), Warning (yellow): Based on the configured condition judgment operators.
-
Alert Level Normal (green): Based on the configured detection count, explained as follows:
-
Each execution of a detection task counts as 1 detection, e.g.,
Detection Frequency = 5 minutes, then 1 detection = 5 minutes; -
The detection count can be customized, e.g.,
Detection Frequency = 5 minutes, then 3 detections = 15 minutes.
Level Description Normal After the detection rule takes effect, if emergency, important, or warning anomaly events are generated, and the data detection result returns to normal within the configured custom detection count, a recovery alert event will be generated.
❗️ Recovery alert events are not restricted by Alert Silence. If the recovery alert event detection count is not set, the alert event will not recover and will always appear in the Events > Unrecovered Events List. -
Data Gaps¶
For data gap status, seven strategies can be configured.
-
Link the detection interval time range, judge the query result of the detection Metrics in the most recent minutes, do not trigger events;
-
Link the detection interval time range, judge the query result of the detection Metrics in the most recent minutes, the query result is considered as 0; at this time, the query result will be re-compared with the threshold configured in the Trigger Conditions above to determine whether to trigger an anomaly event.
-
Custom fill the detection interval value, trigger data gap events, trigger emergency events, trigger important events, trigger warning events, and trigger recovery events; when selecting this type of configuration strategy, the custom data gap time configuration is recommended to be >= the detection interval time interval. If the configured time <= the detection interval time interval, there may be situations where both data gap and anomaly conditions are met. In this case, only the data gap processing result will be applied.
Information Generation¶
When this option is enabled, the detection results that do not match the above trigger conditions will generate "information" events.
Note
When trigger conditions, data gaps, and information generation are configured simultaneously, the triggering is judged according to the following priority: data gaps > trigger conditions > information event generation.
Other Configurations¶
For more details, refer to Rule Configuration.