Synthetic Testing Anomaly Detection¶
Used to monitor the synthetic testing data within a workspace. You can set a threshold range for the specified amount of data generated by the probing tasks during a given time period. Once the data volume reaches these thresholds, the system will trigger an alert. Additionally, you can customize the alert levels so that when the specified data volume reaches different threshold ranges, corresponding level alerts are triggered.
Use Cases¶
Supports monitoring data volumes produced by probes based on HTTP, TCP, ICMP, WEBSOCKET, and multistep tests. For example, monitoring production environment deployment URLs for unavailability.
Configuration¶
Detection Frequency¶
The execution frequency of the detection rules; default is 5 minutes.
Detection Interval¶
The time range for querying detection metrics. Affected by the detection frequency, the selectable detection intervals will vary.
| Detection Frequency | Detection Interval (Dropdown Options) |
|---|---|
| 1m | 1m/5m/15m/30m/1h/3h |
| 5m | 5m/15m/30m/1h/3h |
| 15m | 15m/30m/1h/3h/6h |
| 30m | 30m/1h/3h/6h |
| 1h | 1h/3h/6h/12h/24h |
| 6h | 6h/12h/24h |
| 12h | 12h/24h |
| 24h | 24h |
3) Detection Metrics: Set the metrics for detecting data, supporting setting the specified data volume from all or individual probing tasks in the current workspace as detection metrics.
Probing Metrics:
| Field | Description |
|---|---|
| Probe Type | Includes four probe types: HTTP, TCP, ICMP, WEBSOCKET. |
| Probe Address | Supports monitoring all or single probing tasks available within the current workspace. |
| Metrics | Supports detection based on metric dimensions, including average response time, P50 response time, P75 response time, P90 response time, P99 response time, availability rate, number of error requests, number of requests, and availability rate. |
| Dimensions | Any string type (keyword) fields in the configuration data can be selected as detection dimensions. Currently, up to three fields can be selected for detection dimensions. By combining multiple detection dimension fields, a specific detection object can be determined. Guance will determine whether the statistical metrics corresponding to a certain detection object meet the threshold conditions for triggering events. If the conditions are met, an event will be generated.For example: selecting detection dimensions host and host_ip results in the detection object {host: host1, host_ip: 127.0.0.1}. |
| Filtering | Filters the data of the detection metrics based on metric tags, thus limiting the scope of detection. One or more filtering conditions can be added for exact match, partial match, and non-partial match. |
Quantity Statistics
You can query and perform statistics on probing tasks through keyword searches or tag filters for the four different probing types.
In addition to simple queries, expression-based queries can also be used.
Trigger Conditions¶
Set the trigger conditions for alert levels: you can configure any one of the emergency, critical, warning, or normal trigger conditions arbitrarily.
Configure trigger conditions and severity levels. When the query results contain multiple values, an event will be generated if any value meets the trigger condition.
For more details, refer to Event Level Description.
If continuous trigger judgment is enabled, you can configure the conditions to take effect after multiple consecutive judgments, which will then trigger the generation of events again. The maximum limit is 10 times.
Alert Levels
-
Alert Levels Emergency (red), Critical (orange), Warning (yellow): Based on configured condition operators.
-
Alert Level Normal (green): Based on the configured number of detections, as follows:
- Each execution of a detection task counts as 1 detection, e.g.,
detection frequency = 5 minutes, then 1 detection = 5 minutes; - You can customize the number of detections, e.g.,
detection frequency = 5 minutes, then 3 detections = 15 minutes.
Level Description Normal After the detection rule takes effect, if urgent, critical, or warning abnormal events occur, and the data detection results return to normal within the configured number of custom detections, a recovery alert event will be generated.
Recovery alert events are not restricted by alert silencing. If the number of detections for recovery alert events is not set, the alert event will not recover and will remain in the Events > Unrecovered Events List. - Each execution of a detection task counts as 1 detection, e.g.,
Data Gaps¶
Seven strategies can be configured for data gap states.
-
Linking with the detection interval time range, judge the query results of the most recent minutes for the detection metrics, no events triggered;
-
Linking with the detection interval time range, judge the query results of the most recent minutes for the detection metrics, query results considered as 0; at this point, the query results will be compared again with the thresholds configured in the trigger conditions above, thereby determining whether an anomaly event should be triggered.
-
Customize filled detection interval values, trigger data gap events, trigger urgent events, trigger critical events, trigger warning events, and trigger recovery events; if choosing this type of configuration strategy, it is recommended that the custom data gap time configuration be >= detection interval time. If the configured time <= the detection interval time, there may be simultaneous satisfaction of data gaps and anomalies, in which case only the data gap processing result will be applied.
Information Generation¶
Enabling this option will generate "information" events for detection results that do not match the above trigger conditions.
Note
If trigger conditions, data gaps, and information generation are configured simultaneously, the following priority order applies: data gaps > trigger conditions > information event generation.
Other Configurations¶
For more details, refer to Rule Configuration.