Network Data Detection¶
A tool used to monitor network performance Metrics within the workspace, allowing users to set threshold ranges and trigger alerts when Metrics exceed these thresholds. Guance supports configuring alert rules for individual Metrics and allows customization of alert severity levels.
Use Cases¶
Supports monitoring Metric data with data sources as netflow/httpflow. For example, monitoring HOST data source as httpflow request count, error count, and error rate.
Detection Configuration¶
Detection Frequency¶
The execution frequency of detection rules; default is 5 minutes.
Detection Interval¶
The time range for querying detection Metrics each time a task is executed. Affected by the detection frequency, the available detection intervals may vary.
| Detection Frequency | Detection Interval (Dropdown Options) |
|---|---|
| 30s | 1m/5m/15m/30m/1h/3h |
| 1m | 1m/5m/15m/30m/1h/3h |
| 5m | 5m/15m/30m/1h/3h |
| 15m | 15m/30m/1h/3h/6h |
| 30m | 30m/1h/3h/6h |
| 1h | 1h/3h/6h/12h/24h |
| 6h | 6h/12h/24h |
| 12h | 12h/24h |
| 24h | 24h |
Detection Metrics¶
Set the Metrics for detecting data. Supports setting Metric data for all/specific services in the workspace within a certain time range.
| Field | Description |
|---|---|
| Data Source | Supported: netflow, httpflow. |
| Metrics | netflow: bytes sent, bytes received, tcp delay, tcp variance, tcp connection count, tcp retransmission count, tcp close count;httpflow: request count, error count, error rate, average response time, P99 response time, P95 response time, P75 response time, P50 response time. |
| Filter Conditions | Filters the data of detection Metrics based on Metric tags, limiting the scope of detected data. Supports adding one or more tag filters, supporting fuzzy matching and non-fuzzy matching filter conditions. |
| Detection Dimensions | Any string type (keyword) field in the configuration can be selected as a detection dimension. Currently, up to three fields are supported for detection dimensions. By combining multiple detection dimension fields, a specific detection object can be determined. Guance will determine if the statistical Metric corresponding to a detection object meets the threshold condition for triggering an event. If it does, an event will be generated.* (For example, selecting detection dimensions host and host_ip would make the detection object {host: host1, host_ip: 127.0.0.1}). |
Trigger Conditions¶
Set the trigger conditions for alert levels: You can configure any one of the following trigger conditions: critical, major, minor, normal.
Configure the trigger conditions and severity level. When the query results contain multiple values, an event is generated if any value meets the trigger condition.
For more details, refer to Event Level Description.
If Continuous Trigger Judgment is enabled, you can configure the trigger condition to take effect after multiple consecutive judgments, generating events again. The maximum limit is 10 times.
Alert Levels
-
Alert Levels Critical (Red), Major (Orange), Minor (Yellow): Based on configured condition judgment operators.
-
Alert Level Normal (Green): Based on configured detection counts, as follows:
- Each execution of a detection task counts as 1 detection, e.g.,
Detection Frequency = 5 minutes, then 1 detection = 5 minutes; - Customizable detection counts, e.g.,
Detection Frequency = 5 minutes, then 3 detections = 15 minutes.
- Each execution of a detection task counts as 1 detection, e.g.,
After the detection rule takes effect and generates critical, major, or minor abnormal events, if the data detection result returns to normal within the configured custom detection count, a recovery alert event is generated.
Recovery alert events are not restricted by Alert Mute. If no recovery alert detection count is set, the alert event will not recover and will always appear in the Events > Unrecovered Events List.
Data Gaps¶
Seven strategies can be configured for data gap states.
-
Linking with the detection interval time range, judge the query results of the most recent minutes of the detection Metric, do not trigger an event;
-
Linking with the detection interval time range, judge the query results of the most recent minutes of the detection Metric, treat query results as 0; at this point, the query results will be compared with the thresholds configured in the Trigger Conditions above to determine whether an abnormal event should be triggered.
-
Customize fill-in detection interval values, trigger data gap events, trigger critical events, trigger major events, trigger minor events, and trigger recovery events; if this type of configuration strategy is chosen, the custom data gap time configuration is recommended to be >= detection interval time. If the configured time <= detection interval time, there may be simultaneous satisfaction of data gaps and anomalies. In such cases, only the data gap processing results will apply.
Information Generation¶
Enable this option to generate "Information" events for detection results that do not match the above trigger conditions.
Note
If trigger conditions, data gaps, and information generation are configured simultaneously, the following priority order applies: data gaps > trigger conditions > information event generation.
Other Configurations¶
For more details, refer to Rule Configuration.