Mutation Detection¶
By comparing the absolute change or relative percentage change of the same metric over two different time periods, it determines whether an anomaly has occurred. This method is commonly used to track peaks or fluctuations in metrics. When an anomaly is detected, it can generate event records more precisely for subsequent analysis and processing.
Use Cases¶
Mutation Detection is suitable for monitoring short-term relative changes or change rates compared to long-term data. For example, setting the MySQL connection count metric to a percentage difference greater than 500% between the last 15 minutes and the average of the past day means that if the average connection count in the last 15 minutes exceeds 5 times the average connection count of the past day, the system will trigger an alert.
It is recommended to use statistical functions such as average (AVG), maximum (MAX), minimum (MIN), etc., to calculate these metrics, rather than using the last value (LAST) function, to reduce the impact of abnormal data and improve monitoring accuracy.
Configuration File¶
Detection Metric¶
This refers to the metric data being monitored. The difference or percentage difference of this metric over two time periods can be compared.
| Field | Description |
|---|---|
| Data Type | The data type of the current detection rule. |
| Measurement | The measurement where the current detection metric is located. |
| Metric | The metric targeted by the current detection. |
| Aggregation Algorithm | Includes Avg by (average value), Min by (minimum value), Max by (maximum value), Sum by (sum), Last (last value), First by (first value), Count by (number of data points), Count_distinct by (number of distinct data points), p50 (median value), p75 (value at the 75th percentile), p90 (value at the 90th percentile), p99 (value at the 99th percentile). |
| Detection Dimension | Any string-type (keyword) fields in the configuration data can be selected as detection dimensions. Currently, up to three fields can be selected as detection dimensions. By combining multiple detection dimension fields, a specific detection object can be determined. Guance will determine whether the statistical metric of a detection object meets the threshold of the trigger condition. If the condition is met, an event is generated.(For example, selecting detection dimensions host and host_ip means the detection object can be {host: host1, host_ip: 127.0.0.1}.) |
| Filter Condition | Filters the data of the detection metric based on the metric's tags to limit the data scope of the detection. Supports adding one or more tag filters. Supports fuzzy match and fuzzy not-match filter conditions. |
| Alias | Custom name for the detection metric. |
| Query Method | Supports simple query and expression query. |
The selectable detection intervals for time periods include last month, last week, yesterday, 1 hour ago, compared to the previous period, last 15 minutes, last 30 minutes, last 1 hour, last 4 hours, last 12 hours, and last 1 day.
Note
The detection intervals "yesterday" and "one hour ago" compare the difference or percentage difference of the detection metric within the same time range. Other detection intervals compare the difference or percentage difference of the detection metric over two time periods.
Cross-Workspace Query Metric¶
After authorization, detection metrics from other workspaces under the current account can be selected. After the monitor rule is successfully created, cross-workspace alert configuration can be achieved.
Note
After selecting another workspace, the detection metric dropdown options will only display data types that have been authorized for the current workspace.
Detection Frequency¶
The execution frequency of the detection rule automatically matches the larger time range between the two detection intervals selected by the user. Default is 5 minutes.
Trigger Conditions¶
Configure the trigger conditions for alert levels: You can configure any one of the following trigger conditions: Critical, Important, Warning, Data Gap, or Info:
-
Trigger Precondition Configuration: Enabled by default; when the detection value meets the threshold set in the trigger precondition (operators supported: >, >=, <, <=, default is >), the mutation detection rule judgment continues; if this configuration is turned off, only the mutation detection rule judgment is performed.
-
Mutation Rule Configuration: Three forms of data comparison for mutation detection rule judgment: Upward (data increase), Downward (data decrease), or Upward or Downward.
Configure trigger conditions and severity. When the query result contains multiple values, an event is generated if any value meets the trigger condition.
For more details, refer to Event Level Description.
Bulk Alert Protection¶
Enabled by default.
When the number of alerts generated in a single detection exceeds a preset threshold, the system automatically switches to a status-based aggregation strategy: instead of processing each alert object individually, it generates a small number of summary alerts based on event status and pushes them.
This ensures the timeliness of notifications while significantly reducing alert noise and avoiding timeout risks caused by processing too many alerts.
Note
When this switch is enabled, the subsequent Event Details generated after the monitor detects an anomaly will not display historical records and associated events.
Alert Level¶
-
Alert Level Critical (red), Important (orange), Warning (yellow);
-
Alert Level Normal (green): Based on the configured number of detection times, explained as follows:
-
Each execution of a detection task counts as 1 detection. For example, if
Detection Frequency = 5 minutes, then 1 detection = 5 minutes; -
The number of detections can be customized. For example, if
Detection Frequency = 5 minutes, then 3 detections = 15 minutes.
Level Description Normal After the detection rule takes effect, if an abnormal event of Critical, Important, or Warning level occurs and the data detection result returns to normal within the configured number of custom detections, a recovery alert event is generated.
❗️ Recovery alert events are not subject to Alert Silence restrictions. If the number of recovery alert event detections is not set, the alert event will not recover and will remain in the Events > Unrecovered Events List. -
Data Gap¶
Seven strategies can be configured for the data gap status.
-
Link to the detection interval time range, judge the query result of the detection metric for the recent number of minutes, do not trigger an event;
-
Link to the detection interval time range, judge the query result of the detection metric for the recent number of minutes, treat the query result as 0; at this time, the query result will be re-compared with the threshold configured in the Trigger Conditions above to determine whether to trigger an abnormal event.
-
Custom fill the detection interval value, trigger a data gap event, trigger a critical event, trigger an important event, trigger a warning event, and trigger a recovery event; if this type of configuration strategy is selected, the recommended custom data gap time configuration is >= detection interval time interval. If the configured time is <= the detection interval time interval, situations where both data gap and abnormal conditions are met may occur. In such cases, only the data gap processing result will be applied.
Info Generation¶
After enabling this option, detection results that do not match any of the above trigger conditions will generate "Info" events and be written.
Note
If Trigger Conditions, Data Gap, and Info Generation are configured simultaneously, the triggering priority is judged as follows: Data Gap > Trigger Conditions > Info Event Generation.
Other Configuration¶
For more details, refer to Rule Configuration.