Testing Anomaly Detection¶
The rule is used for monitoring synthetic testing data within the workspace, by setting threshold (boundary) ranges for specified data volumes generated by probing tasks over a certain period of time. When the data volume reaches the threshold range, an alert can be triggered. At the same time, you can customize the alert level, so that different levels of alert events can be triggered when the specified data volume reaches different threshold ranges.
Use Case¶
Support monitoring of data generated by different probe types based on protocols such as HTTP
, TCP
, ICMP
, WEBSOCKET
. For example, monitor the unavailability of URLs deployed in the production environment.
Setup¶
Step 1: Detection Configuration¶
Detection Frequency: The execution frequency of detection rules, including 1m/5m/15/30m/1h/6h (5m is selected by default).
Detection Interval: The time range of detection index query when each task is executed. The optional detection interval will be different due to the influence of detection frequency.
Detection Frequency | Detection Interval (Drop-down Option) |
---|---|
1m | 1m/5m/15m/30m/1h/3h |
5m | 5m/15m/30m/1h/3h |
15m | 15m/30m/1h/3h/6h |
30m | 30m/1h/3h/6h |
1h | 1h/3h/6h/12h/24h |
6h | 6h/12h/24h |
Detection Metrics: Set the metric of detection data, and support setting the data amount of specified data generated by all/single synthetic testing tasks in the current workspace as the detection metric.
Metrics Analysis
Field | Description |
---|---|
Type | Support synthetic testing types based on different protocols such as HTTP、TCP、ICMP、WEBSOCKET , etc. |
URL | Support to monitor all or a single synthetic testing task of in the current workspace. |
Filtering | Based on the index label, the data of detection index is screened and the detection data range is limited. Support to add one or more label filters, and support fuzzy matching and fuzzy mismatching filters. |
Detection Dimension | The corresponding string type (keyword) fields in the configuration data can be selected as detection dimensions. At present, the detection dimensions support selecting up to three fields. Through the combination of fields of multiple detection dimensions, a certain detection object can be determined, and the guance will judge whether the statistical index corresponding to a detection object meets the threshold of trigger conditions, and if it meets the conditions, an event will be generated. (For example, if the instrumentation dimensions host and host_ip are selected, the instrumentation object can be {host: host1, host_ip: 127.0.0.1} .) |
Query
You can query and analyze synthetic testing tasks based on four different types, either by keyword search or tag filtering.
In addition to simple queries, you can also use expression queries.
Trigger Condition: Set the trigger condition of alert level; You can configure any of the following trigger conditions: Critical, Error, Warning, No Data, or Information.
Configure the trigger condition and severity. When the query result is multiple values, an event will be generated if any value meets the trigger condition.
See Event Level details.
I. Alert levels: Critical (red), Important (orange), Warning (yellow): Based on the configured conditions using operators.
II. Alert levels: OK (green), Information (blue): Based on the configured number of detections, as explained below:
- One test is performed for each test task, if "test frequency = 5 minutes", then one test = 5 minutes
- You can customize the number of tests, such as "Test frequency = 5 minutes", then 3 tests = 15 minutes
Level | Description |
---|---|
OK | After the detection rule takes effect, if the result of an urgent, important, or warning abnormal event returns to normal within the configured number of custom detections, a recovery alert event is generated. Recovery alert events are not affected by Mute Alerting. If no detection count is set for recovery alert events, the alert event will not recover and will always appear in the Events > Unrecovered Events List. |
Information | Events are generated even for normal detection results. |
III. Alert level: No Data (gray): The no data state supports three configuration strategies: Trigger No-Data Event, Trigger Recovery Event, and Untrigger Event.
Step 2: Event Notification¶
Event Title: Set the event name of the alert trigger condition; support the use of preset template variables.
Note: In the latest version, the Monitor Name will be automatically generated based on the Event Title input. In older monitors, there may be inconsistencies between the Monitor Name and the Event Title. To enjoy a better user experience, please synchronize to the latest version as soon as possible. One-click replacement with event title is supported.
Event Content:Event notification content sent when triggering conditions are met, support input of markdown format text information, support preview effect, support use of preset template variables, refer to template variables.
Note: Different alert notification objects support different Markdown syntax. For example, WeCom does not support unordered lists.
No Data Notification Configuration: Support customizing the content of the no data notification. If not configured, the official default notification template will be automatically used.
Alert Strategy: After the monitoring meets the trigger conditions, immediately send an alert message to the specified notification targets. The Alert Strategy includes the event level that needs to be notified, the notification targets and the mute alerting period.
Synchronously create Issue: If abnormal events occur under this monitor, an issue for anomaly tracking will be created synchronously and delivered to the channel for anomaly tracking. You can go to Incident > Your selected Channel to view it.
Step 3: Association¶
Associate Dashboard: Every monitor supports associating with a dashboard for quick navigation and viewing.
Example¶
The following figure shows the usability detection of production sites.