Outlier Detection¶
Through algorithm analysis of metrics or statistical data of detection objects within specific groups, significant outlier deviations can be identified. If the detected inconsistency exceeds the preset threshold, the system will generate an outlier detection anomaly event for subsequent alert tracking and analysis. This method helps to promptly detect and handle potential abnormal situations, improving the accuracy and response speed of monitoring.
Use Cases¶
Based on the characteristics of metric data, appropriate distance parameters can be configured to trigger emergency events when data significantly deviates from the normal range. For example, you can set up monitoring so that when the memory usage of a host is significantly higher than other hosts, the system can issue an alert in time. Such configuration helps to quickly identify and respond to potential performance issues or abnormal situations.
Configuration¶
Detection Frequency¶
Automatically matches the selected detection interval. The default is 5 minutes.
Detection Interval¶
The time range for querying detection metrics.
| Detection Interval (Dropdown Options) | Default Detection Frequency |
|---|---|
| 15m | 5m |
| 30m | 5m |
| 1h | 15m |
| 4h | 30m |
| 12h | 1h |
| 1d | 1h |
Detection Metrics¶
The metric data being monitored.
| Field | Description |
|---|---|
| Data Type | The current detection data type, including detection metrics, logs, infrastructure, Resource Catalog, events, APM, RUM, network, and Profile. |
| Measurement | The measurement where the current detection metric is located. |
| Metric | The metric targeted by the current detection. |
| Aggregation Algorithm | Includes Avg by (average), Min by (minimum), Max by (maximum), Sum by (sum), Last (last value), First by (first value), Count by (data point count), Count_distinct by (unique data point count), p50 (median), p75 (75th percentile), p90 (90th percentile), p99 (99th percentile). |
| Detection Dimension | String type (keyword) fields in the configuration data can be selected as detection dimensions. Currently, up to three fields can be selected as detection dimensions. By combining multiple detection dimension fields, a specific detection object can be determined, Guance will determine whether the statistical metrics of a detection object meet the threshold of the trigger condition. If the condition is met, an event will be generated.(For example, selecting detection dimensions host and host_ip, the detection object can be {host: host1, host_ip: 127.0.0.1}.) |
| Filter Conditions | Filter the detection metric data based on metric tags to limit the data range; supports adding one or more tag filters; supports fuzzy match and fuzzy mismatch filter conditions. |
| Alias | Custom detection metric name. |
| Query Method | Supports simple query and expression query. |
Trigger Conditions¶
Set the trigger conditions for alert levels: You can configure any one of the emergency, normal, data gap, and information trigger conditions.
Configure trigger conditions and severity. When the query result is multiple values, any value that meets the trigger condition will generate an event.
Severity |
Description |
|---|---|
| Emergency (Red) | Use the DBSCAN algorithm, configure appropriate distance parameters based on metric data characteristics to trigger emergency events. The distance parameter represents the maximum distance between two samples where one sample is adjacent to another, not the maximum limit of the intra-cluster point distance. (float, default=0.5) You can configure any floating-point value in the range(0-3.0). If not configured, the default distance parameter is 0.5. The larger the distance setting, the fewer the outlier points detected. If the distance value is set too small, many outliers may be detected. If the distance value is set too large, no outliers may be detected. Therefore, it is necessary to set an appropriate distance parameter based on different data characteristics. |
| Normal (Green) | You can configure the number of times. If the detection metric triggers an "emergency" anomaly event, and then the next N consecutive detections are normal, a "normal" event will be generated. Used to determine whether the anomaly event has returned to normal, recommended to configure. |
Data Gap¶
For data gap status, seven strategies can be configured.
-
Link to the detection interval time range, judge the query result of the recent minutes of the detection metric, do not trigger an event;
-
Link to the detection interval time range, judge the query result of the recent minutes of the detection metric, the query result is considered as 0; at this time, the query result will be re-compared with the threshold configured in the Trigger Conditions above to determine whether to trigger an anomaly event.
-
Custom fill the detection interval value, trigger data gap event, trigger emergency event, trigger important event, trigger warning event, and trigger recovery event; when selecting this type of configuration strategy, it is recommended to configure the custom data gap time >= detection interval time interval. If the configured time <= detection interval time interval, there may be situations where both data gap and anomaly conditions are met. In this case, only the data gap processing result will be applied.
Information Generation¶
Enable this option to generate "information" events for detection results that do not match the above trigger conditions.
Note
When trigger conditions, data gap, and information generation are configured simultaneously, the triggering is judged according to the following priority: data gap > trigger conditions > information event generation.
Other Configuration¶
For more details, refer to Rule Configuration.