Process Anomaly Detection¶
Used to monitor process data within the workspace, supports configuring alert trigger conditions for one or more field types in process data.
Detection Configuration¶
Detection Frequency¶
Refers to the execution frequency of the detection rule.
Detection Interval¶
Refers to the time range for querying detection metrics. Affected by the detection frequency, the available detection intervals may vary.
| Detection Frequency | Detection Interval (Dropdown Options) |
|---|---|
| 30s | 1m/5m/15m/30m/1h/3h |
| 1m | 1m/5m/15m/30m/1h/3h |
| 5m | 5m/15m/30m/1h/3h |
| 15m | 15m/30m/1h/3h/6h |
| 30m | 30m/1h/3h/6h |
| 1h | 1h/3h/6h/12h/24h |
| 6h | 6h/12h/24h |
| 12h | 12h/24h |
| 24h | 24h |
Detection Metrics¶
Set the metric data to be detected. Supports setting the number of occurrences of one or more field type keywords in process data within the current workspace over a certain time range.
| Field | Description |
|---|---|
| Process | Requires manual input of the process name. Supports wildcards for fuzzy matching. Multiple values should be separated by ",". |
| Filter Conditions | Supports filtering fields of process data to limit the scope of detected data. Supports adding one or more tag filters. |
| Detection Dimensions | Any string-type (keyword) field in the configured data can be selected as a detection dimension. Currently, a maximum of three fields can be selected as detection dimensions. By combining multiple detection dimension fields, a specific detection object can be defined. Guance will determine if the statistical metrics for a detection object meet the threshold of the trigger conditions. If the conditions are met, an event is generated.(For example, selecting detection dimensions host and host_ip means the detection object could be {host: host1, host_ip: 127.0.0.1}.) |
Trigger Conditions¶
Set the trigger conditions for alert severity levels: You can configure any one of the trigger conditions for Critical, Major, Warning, or Normal.
Configure the trigger conditions and severity. When the query result contains multiple values, an event is generated if any value meets the trigger condition.
For more details, refer to Event Level Description.
Consecutive Trigger Judgment¶
If Consecutive Trigger Judgment is enabled, you can configure that an event is generated only after the trigger condition is met for a consecutive number of times. The maximum is 10 times.
Bulk Alert Protection¶
Enabled by default.
When the number of alerts generated in a single detection exceeds a preset threshold, the system automatically switches to a status aggregation strategy: instead of processing each alert object individually, it generates a small number of summary alerts based on event status and pushes them.
This ensures the timeliness of notifications while significantly reducing alert noise and avoiding timeout risks caused by processing too many alerts.
Note
When this switch is enabled, the subsequent Event Details generated by the monitor for such anomalies will not display historical records and associated events.
Alert Severity¶
-
Alert Severity Critical (red), Major (orange), Warning (yellow);
-
Alert Severity Normal (green): Based on the configured number of detections, explained as follows:
-
Each execution of a detection task counts as 1 detection. For example, if
Detection Frequency = 5 minutes, then 1 detection = 5 minutes; -
The number of detections can be customized. For example, if
Detection Frequency = 5 minutes, then 3 detections = 15 minutes.
Level Description Normal After the detection rule takes effect, if an Critical, Major, or Warning abnormal event occurs, and the data detection result returns to normal within the configured custom number of detections, a recovery alert event is generated.
❗️ Recovery alert events are not subject to Alert Silence restrictions. If the number of detections for recovery alert events is not set, the alert event will not recover and will remain in the Events > Unrecovered Events List. -
Data Gap¶
Seven strategies can be configured for data gap status.
-
Link with the detection interval time range, judge the query result of the detection metric for the most recent minutes, do not trigger an event;
-
Link with the detection interval time range, judge the query result of the detection metric for the most recent minutes, treat the query result as 0; at this time, the query result will be re-compared with the threshold configured in the Trigger Conditions above to determine whether to trigger an abnormal event.
-
Custom fill the detection interval value, trigger a data gap event, trigger a Critical event, trigger a Major event, trigger a Warning event, and trigger a recovery event; for this type of configuration strategy, the recommended custom data gap time configuration is >= detection interval time. If the configured time is <= the detection interval time, situations where both data gap and anomaly conditions are met may occur. In such cases, only the data gap processing result will be applied.
Information Generation¶
Enable this option to generate "Information" events for detection results that do not meet any of the above trigger conditions and write them.
Note
When Trigger Conditions, Data Gap, and Information Generation are configured simultaneously, the triggering is judged according to the following priority: Data Gap > Trigger Conditions > Information Event Generation.
Other Configurations¶
For more details, refer to Rule Configuration.