Process Anomaly Detection¶
Used to monitor process data within the workspace, supports configuring alert trigger conditions for one or more field types in process data.
Detection Configuration¶
Detection Frequency¶
The execution frequency of the detection rule.
Detection Interval¶
The time range for querying detection metrics. The available detection intervals vary depending on the detection frequency.
| Detection Frequency | Detection Interval (Dropdown Options) |
|---|---|
| 30s | 1m/5m/15m/30m/1h/3h |
| 1m | 1m/5m/15m/30m/1h/3h |
| 5m | 5m/15m/30m/1h/3h |
| 15m | 15m/30m/1h/3h/6h |
| 30m | 30m/1h/3h/6h |
| 1h | 1h/3h/6h/12h/24h |
| 6h | 6h/12h/24h |
| 12h | 12h/24h |
| 24h | 24h |
Detection Metrics¶
Set the metrics data to be detected. Supports setting the number of occurrences of one or more field type keywords in process data within the current workspace over a specified time range.
| Field | Description |
|---|---|
| Process | Requires manual input of process names, supports wildcard for fuzzy matching, multiple values separated by ",". |
| Filter Conditions | Supports filtering fields in process data to limit the scope of detection. Supports adding one or more tag filters. |
| Detection Dimensions | Any string type (keyword) fields in the configuration data can be selected as detection dimensions. Currently, up to three fields can be selected as detection dimensions. By combining multiple detection dimension fields, a specific detection object can be determined, Guance will determine if the statistical metrics of a detection object meet the threshold of the trigger condition, and if so, an event will be generated.(For example, selecting detection dimensions host and host_ip, the detection object can be {host: host1, host_ip: 127.0.0.1}.) |
Trigger Conditions¶
Set the trigger conditions for alert levels: You can configure any one of the emergency, important, warning, or normal trigger conditions.
Configure trigger conditions and severity. When the query result has multiple values, any value meeting the trigger condition will generate an event.
For more details, refer to Event Level Description.
Continuous Trigger Judgment¶
If Continuous Trigger Judgment is enabled, you can configure the condition to trigger an event after the trigger condition is met multiple times consecutively. The maximum limit is 10 times.
Bulk Alert Protection¶
Enabled by default.
When the number of alerts generated in a single detection exceeds the preset threshold, the system will automatically switch to a status summary strategy: Instead of processing each alert object individually, it will generate a few summary alerts based on the event status and push them.
This ensures the timeliness of notifications and significantly reduces alert noise, avoiding the risk of timeout due to processing too many alerts.
Note
When this switch is enabled, subsequent event details generated by the monitor after detecting anomalies will not display historical records and related events.
Alert Level¶
-
Alert Level Emergency (Red), Important (Orange), Warning (Yellow): Based on the configured condition judgment operators.
-
Alert Level Normal (Green): Based on the configured number of detections, described as follows:
-
Each execution of a detection task counts as 1 detection, e.g.,
Detection Frequency = 5 minutes, then 1 detection = 5 minutes; -
You can customize the number of detections, e.g.,
Detection Frequency = 5 minutes, then 3 detections = 15 minutes.
Level Description Normal After the detection rule takes effect, if emergency, important, or warning anomaly events are generated, and the data detection result returns to normal within the configured custom detection count, a recovery alert event is generated.
❗️ Recovery alert events are not subject to Alert Silence restrictions. If the recovery alert event detection count is not set, the alert event will not recover and will always appear in the Events > Unrecovered Events List. -
Data Interruption¶
For data interruption status, seven strategies can be configured.
-
Link the detection interval time range, judge the query result of the most recent minutes of the detection metric, do not trigger event;
-
Link the detection interval time range, judge the query result of the most recent minutes of the detection metric, treat query result as 0; at this time, the query result will be compared with the threshold configured in the Trigger Conditions above to determine whether to trigger an anomaly event.
-
Custom fill the detection interval value, trigger data interruption event, trigger emergency event, trigger important event, trigger warning event, and trigger recovery event; for this type of configuration strategy, it is recommended to set the custom data interruption time >= detection interval time interval, if the configured time <= detection interval time interval, there may be cases where both data interruption and anomaly conditions are met, in which case only the data interruption processing result will be applied.
Information Generation¶
Enable this option to generate "information" events for detection results that do not match the above trigger conditions.
Note
When both trigger conditions, data interruption, and information generation are configured, the priority for triggering is judged as follows: data interruption > trigger conditions > information event generation.
Other Configurations¶
For more details, refer to Rule Configuration.