Synthetic Testing Anomaly Detection¶
Used to monitor the data from Synthetic Tests within a workspace. You can set a threshold range for the specified data volume generated by a probing task over a certain period of time, and once the data volume reaches these thresholds, the system will trigger an alert. Additionally, you can customize the alert level so that when the specified data volume reaches different threshold ranges, corresponding level alert events can be triggered.
Use Cases¶
Supports monitoring data generated by probes based on HTTP, TCP, ICMP, WEBSOCKET, and Multistep Tests. For example, monitoring URLs in the production environment that are unavailable.
Detection Configuration¶
Detection Frequency¶
The execution frequency of the detection rule.
Detection Interval¶
The time range for querying detection Metrics. Affected by the detection frequency, the selectable detection intervals may vary.
| Detection Frequency | Detection Interval (Dropdown Options) |
|---|---|
| 30s | 1m/5m/15m/30m/1h/3h |
| 1m | 1m/5m/15m/30m/1h/3h |
| 5m | 5m/15m/30m/1h/3h |
| 15m | 15m/30m/1h/3h/6h |
| 30m | 30m/1h/3h/6h |
| 1h | 1h/3h/6h/12h/24h |
| 6h | 6h/12h/24h |
| 12h | 12h/24h |
| 24h | 24h |
3) Detection Metrics: Set the metrics for detecting data, supporting setting the specified data volume generated by all or single probing tasks within the current workspace as the detection metric.
Probing Metrics:
| Field | Description |
|---|---|
| Probing Type | Includes four probing types: HTTP, TCP, ICMP, WEBSOCKET. |
| Probing Address | Supports monitoring all or single probing tasks available for Synthetic Tests within the current workspace. |
| Metrics | Supports detection based on metric dimensions, including average response time, P50 response time, P75 response time, P90 response time, P99 response time, availability rate, number of error requests, number of requests, and availability rate. |
| Dimensions | Any string type (keyword) fields in the configuration data can be selected as detection dimensions. Currently, up to three fields can be selected for detection dimensions. By combining multiple detection dimension fields, a specific detection object can be determined. Guance will determine whether the statistical metrics corresponding to a detection object meet the threshold conditions for triggering, and if they do, an event will be generated.For example: selecting detection dimensions host and host_ip, the detection object could be {host: host1, host_ip: 127.0.0.1}. |
| Filtering | Filters the data of the detection metrics based on metric tags, thereby limiting the scope of the detected data. You can add one or more label filters, fuzzy matches, and fuzzy mismatches as filtering conditions. |
Quantity Statistics
You can query and statistically analyze probing tasks based on four different probing types through keyword searches or tag filtering.
In addition to simple queries, expression-based queries can also be used.
Trigger Conditions¶
Set the trigger conditions for alert levels: You can configure any one of the following trigger conditions: urgent, important, warning, normal.
Configure trigger conditions and severity levels; when the query results contain multiple values, any value meeting the trigger condition will generate an event.
For more details, refer to Event Level Description.
If Continuous Trigger Judgment is enabled, you can configure the trigger conditions to take effect after multiple consecutive judgments, generating events again. The maximum limit is 10 times.
Alert Levels
-
Alert Levels Urgent (Red), Important (Orange), Warning (Yellow): Based on configured condition operators.
-
Alert Level Normal (Green): Based on configured detection counts, as follows:
- Each execution of a detection task counts as 1 detection, e.g.,
Detection Frequency = 5 minutes, then 1 detection = 5 minutes; - Customizable detection counts can be defined, e.g.,
Detection Frequency = 5 minutes, then 3 detections = 15 minutes.
Level Description Normal After the detection rule takes effect and generates urgent, important, or warning abnormal events, if the data detection results return to normal within the configured custom detection count, a recovery alert event will be generated.
Recovery alert events are not restricted by Alert Mute. If no recovery alert event detection count is set, the alert event will not recover and will remain in the Events > Unrecovered Events List. - Each execution of a detection task counts as 1 detection, e.g.,
Data Gaps¶
Seven strategies can be configured for handling data gap states.
-
Link with the detection interval time range to judge the query results of the most recent minutes for the detection Metrics, do not trigger events;
-
Link with the detection interval time range to judge the query results of the most recent minutes for the detection Metrics, treat the query result as 0; at this point, the query result will be compared again with the thresholds configured in the Trigger Conditions above to determine whether to trigger an anomaly event.
-
Customize the filled detection interval values, trigger data gap events, trigger urgent events, trigger important events, trigger warning events, and trigger recovery events; select this type of configuration strategy, and it is recommended that the custom data gap time configuration should be >= detection interval time. If the configured time <= detection interval time, there might be simultaneous satisfaction of data gaps and anomalies, in which case only the data gap processing result will apply.
Information Generation¶
After enabling this option, unmatched detection results that do not meet the above trigger conditions will generate "information" events and write them into the logs.
Note
If trigger conditions, data gaps, and information generation are configured simultaneously, the following priority order applies for triggering: data gaps > trigger conditions > information event generation.
Other Configurations¶
For more details, refer to Rule Configuration.