Outlier Detection¶
By analyzing the metrics or statistics of the detection objects within a specific group using algorithms, it identifies whether there are significant outlier deviations. If the inconsistencies detected exceed the preset threshold, the system will generate an outlier detection anomaly event for subsequent alarm tracking and analysis. This method helps to promptly identify and handle potential abnormal situations, improving the accuracy and response speed of monitoring.
Use Cases¶
You can configure appropriate distance parameters based on the characteristics of the metric data so that urgent events are triggered when the data significantly deviates from the normal range. For example, you can set up monitoring so that the system sends an alert in a timely manner when the memory usage of a certain host is significantly higher than other hosts. Such configurations help quickly identify and respond to potential performance issues or anomalies.
Detection Configuration¶
Detection Frequency¶
This automatically matches the selected detection interval. The default selection is 5 minutes.
Detection Interval¶
This refers to the time range for querying detection metrics.
| Detection Interval (Dropdown Options) | Default Detection Frequency |
|---|---|
| 15m | 5m |
| 30m | 5m |
| 1h | 15m |
| 4h | 30m |
| 12h | 1h |
| 1d | 1h |
Detection Metrics¶
This refers to the monitored metric data.
| Field | Description |
|---|---|
| Data Types | The type of data currently being detected, including detection metrics, logs, infrastructure, resource catalogs, events, APM, RUM, security checks, networks, and profiles. |
| Measurement Sets | The measurement set where the current detection metrics reside. |
| Metrics | The specific metric being targeted by the current detection. |
| Aggregation Algorithm | Includes Avg by (average), Min by (minimum), Max by (maximum), Sum by (sum), Last (last value), First by (first value), Count by (number of data points), Count_distinct by (number of non-repeating data points), p50 (median value), p75 (value at 75% position), p90 (value at 90% position), p99 (value at 99% position). |
| Detection Dimensions | Any string type (keyword) field in the configuration data can be selected as a detection dimension. Currently, up to three fields can be selected as detection dimensions. By combining multiple detection dimension fields, a specific detection object can be determined. Guance will determine if the statistical metric corresponding to a detection object meets the threshold condition for triggering an event; if the condition is met, an event will be generated.* (For example, selecting detection dimensions host and host_ip, the detection object could be {host: host1, host_ip: 127.0.0.1}.) |
| Filter Conditions | Filters the data of the detection metrics based on the labels of the metrics, limiting the scope of the detected data; supports adding one or more label filters; supports fuzzy matching and fuzzy non-matching filter conditions. |
| Alias | Custom name for the detection metric. |
| Query Method | Supports simple queries and expression-based queries. |
Trigger Conditions¶
Set trigger conditions for alarm levels: You can arbitrarily configure any one of the following trigger conditions—critical, normal, data interruption, informational.
Configure trigger conditions and severity levels; when the query result contains multiple values, an event is generated if any value satisfies the trigger condition.
Severity |
Description |
|---|---|
| Critical (Red) | Uses the DBSCAN algorithm, allowing configuration of appropriate distance parameters based on the characteristics of the metric data, which triggers critical events. The distance parameter indicates the maximum distance between two samples that are considered neighbors, not the upper limit of distances within a cluster. (float, default=0.5) You can select any floating-point value within the range(0-3.0). If no configuration is provided, the default distance parameter is 0.5. Larger distance settings result in fewer detected anomalies, while very small distance settings may detect too many outliers, and overly large distance settings may lead to no outliers being detected. Therefore, suitable distance parameters should be configured according to different data characteristics. |
| Normal (Green) | Can configure the number of times; if the detection metric triggers a "critical" anomaly event, and then N consecutive detections are normal, a "normal" event is generated. This is used to determine if the anomaly has returned to normal, and it is recommended to configure this setting. |
Data Interruption¶
Seven strategies can be configured for data interruption states.
-
Linked with the detection interval time range, judge the query results of the most recent minutes for the detection metric, no event is triggered;
-
Linked with the detection interval time range, judge the query results of the most recent minutes for the detection metric, the query result is treated as 0; at this point, the query result will be re-compared with the thresholds configured in the trigger conditions above to determine whether an anomaly event should be triggered.
-
Custom fill for the detection interval value, triggers data interruption events, critical events, important events, warning events, and recovery events; if this type of configuration strategy is selected, the custom data interruption time configuration is recommended to be >= detection interval time span. If the configured time <= the detection interval time span, both data interruption and anomaly situations might be satisfied simultaneously; in such cases, only the data interruption handling result will be applied.
Information Generation¶
After enabling this option, detection results that do not match the aforementioned trigger conditions will generate "information" events and be recorded.
Note
When configuring trigger conditions, data interruptions, and information generation simultaneously, the following priority applies for triggering: data interruption > trigger conditions > information event generation.
Other Configurations¶
For more details, refer to Rule Configuration.