Network Data Monitoring¶
A tool used to monitor network performance metrics within the workspace, allowing users to set threshold ranges and trigger alerts when metrics exceed these thresholds. Guance supports configuring alert rules for individual metrics and allows customization of alert severity levels.
Use Cases¶
Supports monitoring metric data with data sources as netflow/httpflow. For example, monitoring request counts, error counts, and error rates for host data sources labeled as httpflow.
Detection Configuration¶
Detection Frequency¶
The execution frequency of detection rules; default is 5 minutes.
Detection Interval¶
The time range queried for metrics each time a task is executed. This is influenced by the detection frequency, and available options may vary.
| Detection Frequency | Detection Interval (Dropdown Options) |
|---|---|
| 1m | 1m/5m/15m/30m/1h/3h |
| 5m | 5m/15m/30m/1h/3h |
| 15m | 15m/30m/1h/3h/6h |
| 30m | 30m/1h/3h/6h |
| 1h | 1h/3h/6h/12h/24h |
| 6h | 6h/12h/24h |
| 12h | 12h/24h |
| 24h | 24h |
Detection Metrics¶
Set the metrics for detecting data. Supports setting metrics for all services or individual services in the workspace over a specific time range.
| Field | Description |
|---|---|
| Data Source | Supported: netflow, httpflow. |
| Metric | netflow: Sent bytes, received bytes, tcp delay, tcp fluctuation, tcp connection count, tcp retransmission count, tcp close count;httpflow: Request count, error count, error rate, average response time, P99 response time, P95 response time, P75 response time, P50 response time. |
| Filter Conditions | Filters data for the detected metrics based on metric tags, limiting the scope of the detected data. Supports adding one or more tag filters, including fuzzy matches and non-matches. |
| Detection Dimensions | Any string type (keyword) field in the configuration can be selected as a detection dimension. Currently, up to three fields can be selected as detection dimensions. By combining multiple detection dimension fields, you can determine a specific detection object. Guance will determine whether the statistical metric corresponding to a certain detection object meets the threshold conditions for triggering an event, and if so, generate an event.* (For example, selecting detection dimensions host and host_ip would result in a detection object like {host: host1, host_ip: 127.0.0.1}). |
Trigger Conditions¶
Set the trigger conditions for alert levels: You can configure any one of the following trigger conditions—urgent, important, warning, or normal.
Configure trigger conditions and severity levels. When query results contain multiple values, any value that meets the trigger condition will generate an event.
For more details, refer to Event Level Description.
If Continuous Trigger Judgment is enabled, you can configure the number of consecutive triggers required before generating another event. The maximum limit is 10 times.
Alert Levels
-
Alert Levels Urgent (Red), Important (Orange), Warning (Yellow): Determined based on configured condition operators.
-
Alert Level Normal (Green): Based on the number of configured detections, as follows:
- Each execution of a detection task counts as 1 detection, e.g., if
Detection Frequency = 5 Minutes, then 1 detection = 5 minutes; - You can customize the number of detections, e.g., if
Detection Frequency = 5 Minutes, then 3 detections = 15 minutes;
- Each execution of a detection task counts as 1 detection, e.g., if
After the detection rule takes effect and generates urgent, important, or warning abnormal events, if the detection results return to normal within the configured number of custom detections, a recovery alert event is generated.
Recovery alert events are not restricted by Alert Mute. If no recovery alert detection count is set, the alert event will not recover and will remain in the Events > Unrecovered Events List.
Data Gaps¶
Seven strategies can be configured for data gap states.
-
Linking the detection interval time range, judge the query results of the most recent minutes for the detection metric, no event triggered;
-
Linking the detection interval time range, judge the query results of the most recent minutes for the detection metric, query results treated as 0; at this point, the query results will be compared again with the thresholds configured in the Trigger Conditions section above, thereby determining whether to trigger an anomaly event.
-
Customize the filled detection interval value, trigger data gap events, trigger urgent events, trigger important events, trigger warning events, and trigger recovery events; if choosing this configuration strategy, it is recommended that the custom data gap time configuration be >= detection interval time, and if the configured time <= detection interval time, there may be simultaneous satisfaction of data gaps and anomalies, in which case only the data gap processing results will apply.
Information Generation¶
When this option is enabled, unmatched detection results will generate "information" events and be written into the system.
Note
If trigger conditions, data gaps, and information generation are configured simultaneously, the following priority applies: data gaps > trigger conditions > information event generation.
Other Configurations¶
For more details, refer to Rule Configuration.