Mutation Detection¶
By comparing the absolute change or relative percentage change of the same metric in two different time periods, it determines whether an anomaly has occurred. This method is often used to track peaks or fluctuations in metrics. When an anomaly is detected, it can more accurately generate event records for subsequent analysis and processing.
Use Cases¶
Mutation detection is suitable for monitoring short-term relative changes or rates of change compared to long-term data. For example, setting the percentage difference between the average number of MySQL connections in the last 15 minutes and the average value over the past day to be greater than 500% means that if the average number of connections in the last 15 minutes exceeds five times the average number of connections over the past day, the system will trigger a warning.
It is recommended to use statistical functions such as average (AVG), maximum (MAX), minimum (MIN) instead of the last value (LAST) function to calculate these metrics, reducing the impact of abnormal data and improving the accuracy of monitoring.
Detection Configuration¶
Metrics to Detect¶
The metric data being monitored. It compares the difference or percentage difference of this metric between two time periods.
| Field | Description |
|---|---|
| Data Type | The current type of data being detected, including metrics, logs, infrastructure, resource catalogs, events, application performance monitoring, user access monitoring, security inspections, networks, and Profile. |
| Measurement | The measurement set where the current detection metric resides. |
| Metric | The specific metric currently being detected. |
| Aggregation Algorithm | Includes Avg by (take the average), Min by (take the minimum), Max by (take the maximum), Sum by (sum), Last (take the last value), First by (take the first value), Count by (count the number of data points), Count_distinct by (count the number of non-repeating data points), p50 (take the median value), p75 (take the value at the 75th percentile), p90 (take the value at the 90th percentile), p99 (take the value at the 99th percentile). |
| Detection Dimensions | Any string type (keyword) field in the configuration data can be selected as a detection dimension. Currently, up to three fields can be selected as detection dimensions. By combining multiple detection dimension fields, a specific detection object can be determined. Guance will judge whether the statistical metric corresponding to a certain detection object meets the threshold condition to trigger an event.* (For example, selecting detection dimensions host and host_ip, the detection object could be {host: host1, host_ip: 127.0.0.1}). |
| Filtering Conditions | Filters the data of the detection metric based on tags associated with the metric, limiting the scope of the detected data; supports adding one or more tag filters; supports fuzzy matching and fuzzy mismatch filtering conditions. |
| Alias | Custom name for the detection metric. |
| Query Method | Supports simple queries and expression queries. |
Time ranges for detection intervals include last month, last week, yesterday, 1 hour ago, compared to the previous period, last 15 minutes, last 30 minutes, last 1 hour, last 4 hours, last 12 hours, and last 1 day.
Note
For the detection intervals “yesterday” and “one hour ago,” the comparison is made on the difference or percentage difference of the metric within the same time range. For other detection intervals, the comparison is made on the difference or percentage difference of the metric between two time periods.
Detection Frequency¶
The execution frequency of the detection rule, automatically matching the larger time range of the two selected detection intervals. Includes every 1 minute, 5 minutes, 15 minutes, 30 minutes, and 1 hour.
Trigger Conditions¶
Set the trigger conditions for alert levels: you can configure any one of the following trigger conditions: critical, major, minor, data gap, informational.
-
Pre-trigger condition configuration: enabled by default; when the detection value meets the threshold set in the pre-trigger condition (operators support >, >=, <, <=, default selected >), then continue to judge according to the mutation detection rules; disable this configuration to only perform the mutation detection rules judgment;
-
Mutation rule configuration: three forms of data comparison for upward mutations (data increase), downward mutations (data decrease), or both upward and downward mutations, to determine the mutation detection rules.
Configure trigger conditions and severity levels. When the query result contains multiple values, an event is generated if any value meets the trigger condition.
For more details, refer to Event Level Description.
Alert Levels
-
Alert Levels Critical (Red), Major (Orange), Minor (Yellow): Based on the configured condition operators.
-
Alert Level Normal (Green): Based on the configured number of detections, explained as follows:
- Each execution of a detection task counts as one detection, e.g., if
Detection Frequency = 5 minutes, then 1 detection = 5 minutes. - You can customize the number of detections, e.g., if
Detection Frequency = 5 minutes, then 3 detections = 15 minutes.
Level Description Normal After the detection rule takes effect, if urgent, major, or minor abnormal events occur, and the data detection results return to normal within the configured number of custom detections, a recovery alert event is generated.
Recovery alert events are not restricted by alert silencing. If the number of detections for recovery alert events is not set, the alert event will not recover and will remain in the Events > Unrecovered Events List. - Each execution of a detection task counts as one detection, e.g., if
Data Gaps¶
Seven strategies can be configured for data gaps.
-
Linking the detection interval time range, judging the query results of the most recent minutes for the detection metric, no event triggered;
-
Linking the detection interval time range, judging the query results of the most recent minutes for the detection metric, query results considered as 0; in this case, the query results will be re-compared with the thresholds configured in the trigger conditions, determining whether to trigger an anomaly event.
-
Custom fill for the detection interval value, trigger data gap events, trigger critical events, trigger major events, trigger minor events, and trigger recovery events; if choosing this configuration strategy, the custom data gap time configuration should be >= detection interval time span. If the configured time is <= the detection interval time span, there may be simultaneous satisfaction of data gaps and anomalies, in which case only the data gap handling results will apply.
Information Generation¶
When this option is enabled, detection results that do not match the above trigger conditions will generate "information" events that are written into the log.
Note
If trigger conditions, data gaps, and information generation are configured simultaneously, the following priority order applies: data gaps > trigger conditions > information event generation.
Other Configurations¶
For more details, refer to Rule Configuration.