Synthetic Testing Anomaly Detection¶
Used to monitor the synthetic testing data within a workspace. You can set a threshold range for the specified amount of data generated by a probing task over a period of time, and once the data volume reaches these thresholds, the system will trigger an alert. Additionally, you can customize alert levels so that when the specified data volume reaches different threshold ranges, corresponding level alerts are triggered.
Use Cases¶
Supports monitoring data volumes generated by HTTP, TCP, ICMP, WEBSOCKET, and multistep tests. For example, monitoring production environment deployment URLs that are unavailable.
Detection Configuration¶
Detection Frequency¶
The execution frequency of the detection rule; default is 5 minutes.
Detection Interval¶
The time range for querying detection metrics. Affected by the detection frequency, the selectable detection intervals will vary.
| Detection Frequency | Detection Interval (Dropdown Options) |
|---|---|
| 1m | 1m/5m/15m/30m/1h/3h |
| 5m | 5m/15m/30m/1h/3h |
| 15m | 15m/30m/1h/3h/6h |
| 30m | 30m/1h/3h/6h |
| 1h | 1h/3h/6h/12h/24h |
| 6h | 6h/12h/24h |
| 12h | 12h/24h |
| 24h | 24h |
3) Detection Metrics: Set the metric for detecting data, supporting setting the data volume of all or single probing tasks within the current workspace as the detection metric.
Probing Metrics:
| Field | Description |
|---|---|
| Probing Type | Includes four types of probing: HTTP, TCP, ICMP, WEBSOCKET. |
| Probing Address | Supports monitoring all or a single probing task available in the current workspace. |
| Metric | Supports detection based on the metric dimension, including average response time, P50 response time, P75 response time, P90 response time, P99 response time, availability rate, number of error requests, number of requests, and availability rate. |
| Dimension | Any string type (keyword) field in the configuration data can be selected as a detection dimension. Currently, up to three fields can be selected for detection dimensions. By combining multiple detection dimension fields, a specific detection object can be determined. Guance will determine whether the statistical metric of a certain detection object meets the threshold conditions for triggering events. If the conditions are met, an event will be generated.For example: selecting detection dimensions host and host_ip, then the detection object could be {host: host1, host_ip: 127.0.0.1}. |
| Filtering | Filters the data of the detection metric based on metric tags, thus limiting the scope of the detection data. One or more tag filters, fuzzy matches, and non-fuzzy matches can be added as filtering conditions. |
Quantity Statistics
You can query and statistically analyze probing tasks based on four different probing types using keyword search or label filtering.
In addition to simple queries, expression-based queries can also be used.
Trigger Conditions¶
Set the trigger condition for the alert level: You can configure any one of the following trigger conditions—urgent, important, warning, normal.
Configure the trigger conditions and severity levels, and if any value among multiple results satisfies the trigger condition, an event will be generated.
For more details, refer to Event Level Description.
If Continuous Trigger Judgment is enabled, you can configure it to generate an event again after the trigger condition has been met consecutively multiple times. The maximum limit is 10 times.
Alert Levels
-
Alert Levels Urgent (Red), Important (Orange), Warning (Yellow): Based on configured conditional operators.
-
Alert Level Normal (Green): Based on configured detection counts, as follows:
- Each execution of a detection task counts as 1 detection, e.g.,
detection frequency = 5 minutes, then 1 detection = 5 minutes; - Customizable detection counts, e.g.,
detection frequency = 5 minutes, then 3 detections = 15 minutes.
Level Description Normal After the detection rule takes effect, if urgent, important, or warning abnormal events are generated, and the data detection results return to normal within the configured custom detection count, a recovery alert event will be generated.
Recovery alert events are not restricted by Alert Mute. If no recovery alert event detection count is set, the alert event will not recover and will remain in the Events > Unrecovered Events List. - Each execution of a detection task counts as 1 detection, e.g.,
Data Gaps¶
Seven strategies can be configured for data gap states.
-
Linking with the detection interval time range, judge the query result of the nearest minute of the detection metric, do not trigger an event;
-
Linking with the detection interval time range, judge the query result of the nearest minute of the detection metric, treat the query result as 0; at this point, the query result will be compared again with the thresholds configured in the Trigger Condition above, thereby determining whether to trigger an anomaly event.
-
Customize the fill-in value for the detection interval, trigger data gap events, trigger urgent events, trigger important events, trigger warning events, and trigger recovery events; if this type of configuration strategy is selected, it is recommended that the custom data gap time configuration be >= detection interval time. If the configured time <= the detection interval time, there may be simultaneous satisfaction of data gaps and anomalies. In such cases, only the data gap processing result will apply.
Information Generation¶
Enabling this option generates "information" events for detection results that do not match any of the above trigger conditions.
Note
If trigger conditions, data gaps, and information generation are configured simultaneously, the triggers follow the priority order: data gaps > trigger conditions > information event generation.
Other Configurations¶
For more details, refer to Rule Configuration.