Synthetic Testing Anomaly Detection¶
Used to monitor Synthetic Tests data within the workspace. You can set threshold ranges for the specified data volume generated by testing tasks over a period of time. Once the data volume reaches these thresholds, the system will trigger alerts. Furthermore, you can customize alert levels, enabling the triggering of corresponding level alert events when the specified data volume reaches different threshold ranges.
Use Cases¶
Supports monitoring data volume generated from HTTP, TCP, ICMP, WEBSOCKET, and Multistep Tests. For example, monitoring the unavailability of a URL deployed in a production environment.
Configuration¶
Detection Frequency¶
Refers to the execution frequency of the detection rule.
Detection Interval¶
Refers to the time range for querying detection metrics. The available detection interval options vary depending on the detection frequency.
| Detection Frequency | Detection Interval (Dropdown Options) |
|---|---|
| 30s | 1m/5m/15m/30m/1h/3h |
| 1m | 1m/5m/15m/30m/1h/3h |
| 5m | 5m/15m/30m/1h/3h |
| 15m | 15m/30m/1h/3h/6h |
| 30m | 30m/1h/3h/6h |
| 1h | 1h/3h/6h/12h/24h |
| 6h | 6h/12h/24h |
| 12h | 12h/24h |
| 24h | 24h |
Detection Metrics: Set the metrics for the detection data. Supports setting the data volume of specified data generated by all or a single testing task within the current workspace as the detection metric.
| Field | Description |
|---|---|
| Test Type | Includes four test types: HTTP, TCP, ICMP, WEBSOCKET. |
| Test Address | Supports monitoring all or a single testing task within the current workspace's Synthetic Tests. |
| Metric | Supports detection based on metric dimensions, including average response time, P50 response time, P75 response time, P90 response time, P99 response time, availability rate, error request count, request count, and availability rate. |
| Dimension | Any string type (keyword) field in the configuration data can be selected as a detection dimension. Currently, up to three fields can be selected as detection dimensions. By combining multiple detection dimension fields, a specific detection object can be determined. Guance will determine whether the statistical metrics corresponding to a detection object meet the threshold of the trigger condition. If the condition is met, an event is generated.For example: Selecting detection dimensions host and host_ip means the detection object can be {host: host1, host_ip: 127.0.0.1}. |
| Filter | Filters the data of the detection metrics based on metric tags, thereby limiting the data scope of the detection. One or more tag filters, fuzzy matching, and fuzzy non-matching filter conditions can be added. |
You can query and count testing tasks based on four different test types through keyword search or tag filtering.
In addition to simple queries, expression query methods can also be used.
Trigger Conditions¶
Set the trigger conditions for alert levels: You can arbitrarily configure one of the trigger conditions: Critical, Important, Warning, or Normal.
Configure trigger conditions and severity. When the query result contains multiple values, an event is generated if any value satisfies the trigger condition.
For more details, refer to Event Level Description.
Consecutive Trigger Judgment¶
If Consecutive Trigger Judgment is enabled, you can configure that an event is triggered again after the trigger condition is met for a consecutive number of times. The maximum limit is 10 times.
Bulk Alert Protection¶
Enabled by default.
When the number of alerts generated in a single detection exceeds a preset threshold, the system automatically switches to a status aggregation strategy: instead of processing alert objects individually, it generates a small number of summary alerts based on event status and pushes them.
This ensures the timeliness of notifications while significantly reducing alert noise and avoiding timeout risks caused by processing too many alerts.
Note
When this switch is enabled, the subsequent Event Details generated by the monitor after detecting anomalies will not display historical records and associated events.
Alert Level¶
-
Alert Level Critical (red), Important (orange), Warning (yellow);
-
Alert Level Normal (green): Based on the configured number of detections, explained as follows:
-
Each execution of a detection task counts as 1 detection. For example, if
Detection Frequency = 5 minutes, then 1 detection = 5 minutes; -
The number of detections can be customized. For example, if
Detection Frequency = 5 minutes, then 3 detections = 15 minutes.
Level Description Normal After the detection rule takes effect, if an Critical, Important, or Warning abnormal event occurs, and the data detection result returns to normal within the configured custom number of detections, a recovery alert event is generated.
❗️ Recovery alert events are not subject to Alert Silence restrictions. If the number of detections for recovery alert events is not set, the alert event will not recover and will remain in the Events > Unrecovered Events List. -
Data Gap¶
Seven strategies can be configured for data gap status.
-
Link with the detection interval time range, judge the query result of the detection metric for the most recent minutes, do not trigger an event;
-
Link with the detection interval time range, judge the query result of the detection metric for the most recent minutes, treat the query result as 0; At this time, the query result will be re-compared with the threshold configured in the Trigger Conditions above to determine whether to trigger an abnormal event.
-
Custom fill the detection interval value, trigger data gap event, trigger critical event, trigger important event, trigger warning event, and trigger recovery event; For this type of configuration strategy, the recommended custom data gap time configuration is >= detection interval time span. If the configured time <= detection interval time span, situations where both data gap and abnormal conditions are met may occur. In such cases, only the data gap processing result will be applied.
Information Generation¶
Enable this option to generate "Information" events for detection results that do not match any of the above trigger conditions.
Note
When trigger conditions, data gap, and information generation are configured simultaneously, the triggering is judged according to the following priority: data gap > trigger conditions > information event generation.
Other Configuration¶
For more details, refer to Rule Configuration.