Outlier Detection¶
By analyzing the metrics or statistical data of detection objects within a specific group using algorithms, it identifies whether there are significant outlier deviations. If the detected inconsistencies exceed the preset threshold, the system will generate an outlier detection incident for subsequent alarm tracking and analysis. This method helps to promptly identify and handle potential abnormal situations, improving the accuracy and response speed of monitoring.
Use Cases¶
You can configure appropriate distance parameters based on the characteristics of metric data to trigger emergency events when the data significantly deviates from the normal range. For example, you can set up monitoring so that when the memory usage of a particular host is significantly higher than other hosts, the system can issue alerts in time. Such configurations help quickly identify and respond to potential performance issues or anomalies.
Detection Configuration¶
Detection Frequency¶
Automatically matches the selected detection interval.
Detection Interval¶
The time range for querying detection metrics.
| Detection Interval (Dropdown Options) | Default Detection Frequency |
|---|---|
| 15m | 5m |
| 30m | 5m |
| 1h | 15m |
| 4h | 30m |
| 12h | 1h |
| 1d | 1h |
Detection Metrics¶
The monitored metric data.
| Field | Description |
|---|---|
| Data Type | The current data type being detected, including metrics, logs, infrastructure, resource catalogs, events, APMs, RUMs, security checks, networks, and profiles. |
| Measurement | The measurement set where the current detection metric resides. |
| Metric | The metric currently being detected. |
| Aggregation Algorithm | Includes Avg by (take average), Min by (take minimum), Max by (take maximum), Sum by (sum up), Last (take last value), First by (take first value), Count by (take number of data points), Count_distinct by (take number of non-repeating data points), p50 (take median value), p75 (take value at 75% position), p90 (take value at 90% position), p99 (take value at 99% position). |
| Detection Dimensions | Any string type (keyword) fields in the configured data can be selected as detection dimensions. Currently, up to three fields can be selected as detection dimensions. By combining multiple detection dimension fields, a specific detection object can be determined, Guance will judge whether the statistical metrics corresponding to a detection object meet the threshold conditions for triggering; if the conditions are met, an event is generated.* (For example, selecting detection dimensions host and host_ip, the detection object could be {host: host1, host_ip: 127.0.0.1}.) |
| Filtering Conditions | Filters the data of detection metrics based on metric tags, limiting the scope of detection data; supports adding one or more tag filters; supports fuzzy matching and fuzzy non-matching filtering conditions. |
| Alias | Custom name for the detection metric. |
| Query Method | Supports simple queries and expression queries. |
Trigger Conditions¶
Set the trigger conditions for alarm levels: You can configure any one of the following trigger conditions - critical, normal, data gap, or informational.
Configure trigger conditions and severity levels. When the query results contain multiple values, any value meeting the trigger condition will generate an event.
Severity |
Description |
|---|---|
| Critical (Red) | Uses DBSCAN algorithm. Distance parameters can be configured based on the characteristics of the metric data to trigger critical events. Distance parameter indicates the maximum distance between two samples that are considered neighbors, not the maximum boundary distance within a cluster. (float, default=0.5) You can configure any floating-point value within the range(0-3.0). If not configured, the default distance parameter is 0.5. Larger distance settings result in fewer anomalies detected, while too small distance values may detect too many outliers, and too large distance values may result in no outliers being detected, so appropriate distance parameters should be set according to different data characteristics. |
| Normal (Green) | Configurable number of times. If the detection metric triggers a "critical" anomaly event, and then N consecutive detections are normal, a "normal" event is generated. This is used to determine whether the anomaly has returned to normal, it's recommended to configure this. |
Data Gap¶
Seven strategies can be configured for the data gap state.
-
Link with the detection interval time range, judge the query results of the most recent minutes for the detection metric, do not trigger events;
-
Link with the detection interval time range, judge the query results of the most recent minutes for the detection metric, consider the query results as 0; at this point, the query results will be re-compared with the thresholds configured in the trigger conditions above to determine whether to trigger an anomaly event.
-
Customize the fill value for the detection interval, trigger data gap events, trigger critical events, trigger major events, trigger warning events, and trigger recovery events; if this type of configuration strategy is selected, it is recommended to configure the custom data gap time to be >= detection interval time. If the configured time <= the detection interval time, there might be simultaneous satisfaction of data gaps and anomalies, in which case only the data gap handling results will be applied.
Information Generation¶
After enabling this option, detection results that do not match the above trigger conditions will generate "informational" events and be written.
Note
If trigger conditions, data gaps, and information generation are configured simultaneously, the following priority order applies for triggering: data gap > trigger condition > information event generation.
Other Configurations¶
For more details, refer to Rule Configuration.