Outlier Detection¶
Current Document Location
This document is the second step in the detection rule configuration process. After completing the configuration, please return to the main document to continue with the third step: Event Notification.
By analyzing the metrics or statistical data of detection objects within specific groups using algorithms, it identifies whether significant outlier deviations exist. If the detected inconsistency exceeds the preset threshold, the system will generate an outlier detection anomaly event for subsequent alert tracking and analysis. This method helps to promptly discover and handle potential anomalies, improving monitoring accuracy and response speed.
It is suitable for configuring appropriate distance parameters based on the characteristics of metric data to trigger alerts when data significantly deviates from the normal range. For example, when the memory usage of a host is significantly higher than other hosts in the same group, the system can promptly issue an alert, quickly identifying and responding to potential performance issues.
Detection Configuration¶
Detection Frequency¶
Set the time period for executing detection, automatically matching the selected detection interval.
- Default selection: 5 minutes
Detection Interval¶
Set the data time range queried for each detection (❗️ The detection interval should be greater than or equal to the detection frequency, and should match the actual data reporting cycle to avoid missed detections or false alarms).
| Detection Interval (Dropdown Options) | Detection Frequency |
|---|---|
| 15m | 5m |
| 30m | 5m |
| 1h | 15m |
| 4h | 30m |
| 12h | 1h |
| 1d | 1h |
Detection Metrics¶
Define the detection data source and aggregation method based on DQL (❗️ Avoid selecting high-cardinality fields as detection dimensions. If configured improperly, overly lenient trigger conditions may cause frequent alerts. The current query returns a maximum of 100,000 records).
Configuration Elements¶
| Configuration Item | Description |
|---|---|
| Workspace | Defaults to the current workspace, can be switched to other authorized workspaces After authorization, you can use detection metrics from other workspaces under the current account to create monitors. Once the rule is created successfully, cross-workspace alert configuration can be achieved. Please note that when you select another workspace, the dropdown list for detection metrics will only display data types that have been authorized for use in the current workspace. |
| Data Source Type | Metrics, LOG, Infrastructure, Resource Catalog, Events, APM, RUM, Network, Profile, etc. |
| Query Method | Simple Query, Expression Query |
| Filter Conditions | Filter the data of detection metrics based on metric tags to limit the data scope of detection; supports adding one or multiple tag filters; supports fuzzy matching and fuzzy non-matching filter conditions. |
| Aggregation Algorithm | Avg by (average), Min by (minimum), Max by (maximum), Sum by (sum), Last (last value), First by (first value), Count by (data point count), Count_distinct by (distinct data point count), p50 (median value), p75 (value at the 75th percentile), p90 (value at the 90th percentile), p99 (value at the 99th percentile). |
| Detection Dimension | Any string-type (keyword) field in the configuration data can be selected as a detection dimension. Currently, a maximum of three fields can be selected as detection dimensions. By combining multiple detection dimension fields, a specific detection object can be determined. The system will judge whether the statistical metrics corresponding to a detection object meet the threshold of the trigger condition. If the condition is met, an event is generated.(For example, selecting detection dimensions host and host_ip, the detection object could be {host: host1, host_ip: 127.0.0.1}.) |
| Alias | Custom detection metric name. |
Click to view Query Method Details.
Trigger Conditions¶
Configure trigger conditions and severity levels. When the query result contains multiple values, an event is generated if any value meets the trigger condition.
Outlier detection uses the DBSCAN algorithm to identify anomalies, supporting configuration of Critical level thresholds and Normal recovery conditions.
| Level | Configuration | Description |
|---|---|---|
| Critical | DBSCAN algorithm, distance [value] |
Uses the DBSCAN algorithm to detect outliers. The distance parameter represents the maximum distance between two samples for one to be considered adjacent to the other (float, default=0.5). ❗️ You can configure any floating-point value within the range (0-3.0). If not configured, the default distance parameter is 0.5. A larger distance setting results in fewer detected outliers. Setting the distance value too small may detect many outliers, while setting it too large may result in no outliers being detected. It is necessary to set an appropriate distance parameter based on different data characteristics. |
| Normal | No events generated for [N] consecutive detections |
After the detection rule takes effect, if the data detection result changes from abnormal (Critical) back to normal within the configured number of custom detections, a recovery alert event is triggered. ❗️ Recovery alert events are not subject to Alert Mute restrictions. If the number of detections for recovery alert events is not set, the alert event will not recover and will remain in the Events > Unrecovered Events List. |
For more details, refer to Event Level Description.
Bulk Alert Protection¶
Enabled by default.
When the number of alerts generated in a single detection exceeds the preset threshold, the system automatically switches to a status summary strategy: instead of processing each alert object individually, it generates a small number of summary alerts based on event status and pushes them.
This ensures the timeliness of notifications while significantly reducing alert noise and avoiding timeout risks caused by processing too many alerts.
When this switch is enabled, subsequent Event Details generated by monitors detecting anomalies will not display historical records and associated events.
Data Gap¶
The handling strategy when the detection metric query result is empty within the detection interval:
| Option | Description |
|---|---|
| Do Not Trigger Event (Default) | Links to the time range of the detection interval. Determines whether to generate an event based on the query results of the detection metric in the last several minutes. Suitable for scenarios where data gaps are allowed. |
| Treat Query Result as 0 | Links to the time range of the detection interval. Treats the query results of the detection metric in the last several minutes as 0, and re-compares them with the threshold configured in the Trigger Conditions above to determine whether to trigger an anomaly event. |
| Custom Fill and Trigger Event | Supports custom filling of the detection interval value and triggers the following event types respectively: Data Gap Event, Critical Event, Important Event, Warning Event, and Recovery Event. ❗️ When choosing this strategy, it is recommended to configure the custom data gap time ≥ the detection interval time. If the configured time ≤ the detection interval time, situations where both data gap and anomaly conditions are met may occur. In such cases, the data gap processing result will be applied first. |
When trigger conditions, data gap, and information generation are configured simultaneously, the triggering priority is determined as follows: Data Gap > Trigger Conditions > Information Event Generation.
That is: first determine if there is a data gap, then determine if the threshold is triggered, and finally determine if an information event should be generated.
Information Generation¶
After enabling this option, the system will write all detection results that do not match the above trigger conditions as "Information" events.
Suitable for scenarios requiring recording of normal status changes or low-priority information.
Next Steps¶
After completing the above detection configuration, please continue to configure:
-
Event Notification: Define event title, content, notification members, data gap handling, and associated incidents;
-
Alert Configuration: Select alert strategies, set notification targets, and mute periods;
-
Association: Associate dashboards for quick jump to view data;
-
Permissions: Set operation permissions to control who can edit/delete this monitor.