Process Anomaly Detection¶
Used to monitor process data within the workspace, supporting the configuration of alert trigger conditions for one or more field types in the process data.
Detection Configuration¶
Detection Frequency¶
The execution frequency of the detection rule.
Detection Interval¶
The time range for querying detection metrics. Affected by the detection frequency, the selectable detection intervals may vary.
| Detection Frequency | Detection Interval (Dropdown Options) |
|---|---|
| 30s | 1m/5m/15m/30m/1h/3h |
| 1m | 1m/5m/15m/30m/1h/3h |
| 5m | 5m/15m/30m/1h/3h |
| 15m | 15m/30m/1h/3h/6h |
| 30m | 30m/1h/3h/6h |
| 1h | 1h/3h/6h/12h/24h |
| 6h | 6h/12h/24h |
| 12h | 12h/24h |
| 24h | 24h |
Detection Metrics¶
Set the metrics data for detection. Supports setting the number of occurrences of one or multiple keyword field types in the process data within a certain time range in the current workspace.
| Field | Description |
|---|---|
| Process | Manually input the process name; wildcard matching is supported for fuzzy search, and multiple values can be separated by ",". |
| Filter Conditions | Supports filtering fields in the process data to limit the scope of detected data. One or more label filters can be added. |
| Detection Dimensions | Any string type (keyword) field in the configured data can be selected as a detection dimension. Currently, up to three fields can be selected as detection dimensions. By combining multiple detection dimension fields, a specific detection object can be determined. Guance will judge whether the statistical metrics corresponding to a certain detection object meet the threshold of the trigger condition, and if so, an event will be generated.* (For example, selecting the detection dimensions host and host_ip, the detection object could be {host: host1, host_ip: 127.0.0.1}). * |
Trigger Conditions¶
Set the trigger conditions for alert levels: You can configure any one of the following trigger conditions—urgent, important, warning, or normal.
Configure trigger conditions and severity levels. When the query result contains multiple values, if any value meets the trigger condition, an event will be generated.
For more details, refer to Event Level Description.
If Continuous Trigger Judgment is enabled, you can configure the condition to trigger again after it has been judged consecutively multiple times. The maximum limit is 10 times.
Alert Levels
-
Alert Levels Critical (Red), Major (Orange), Minor (Yellow): Based on the judgment operator configured in the conditions.
-
Alert Level Normal (Green): Based on the configured number of detections, as follows:
- Each execution of a detection task counts as 1 detection, such as
Detection Frequency = 5 minutes, then 1 detection = 5 minutes; - You can customize the number of detections, such as
Detection Frequency = 5 minutes, then 3 detections = 15 minutes.
- Each execution of a detection task counts as 1 detection, such as
After the detection rule takes effect, if urgent, major, or minor abnormal events are generated, and the data detection results return to normal within the configured number of custom detections, a recovery alert event will be generated.
Data Gaps¶
You can configure seven strategies for handling data gaps.
-
Link with the detection interval time range to determine the query results for the most recent minutes of the detection metric, no event will be triggered;
-
Link with the detection interval time range to determine the query results for the most recent minutes of the detection metric, the query result will be treated as 0; at this point, the query result will be recompared with the thresholds configured in the Trigger Condition, thus determining whether an anomaly event should be triggered.
-
Customize filling in the detection interval value, trigger data gap events, trigger critical events, trigger major events, trigger minor events, and trigger recovery events; when selecting this type of configuration strategy, it is recommended that the custom data gap time configuration be >= detection interval time. If the configured time <= the detection interval time, there may be simultaneous satisfaction of data gaps and anomalies, in which case only the data gap processing result will be applied.
Information Generation¶
When this option is enabled, the detection results that do not match the above trigger conditions will generate "information" events and write them.
Note
When configuring trigger conditions, data gaps, and information generation simultaneously, the following priority order applies: Data Gaps > Trigger Conditions > Information Event Generation.
Other Configurations¶
For more details, refer to Rule Configuration.