Event Center¶
TrueWatch provides an event management and auditing platform that supports real-time monitoring and unified querying of multi-source event data. Through event aggregation and correlation, it can quickly locate anomalies and efficiently analyze data.
Under the Event Center feature module, you can monitor system anomalies and service quality degradation issues through modules such as monitors, intelligent inspections, and SLOs. All monitoring activities generate event records, which are then collected in the Explorer module for further analysis and processing.
Event Sources¶
- Alerts triggered by meeting the configuration rules of monitors and intelligent monitoring;
- All alerts triggered based on configured intelligent inspections and SLOs;
- Audit events generated by system operations;
- Custom events written through OpenAPI.
Event Viewing¶
- All Events: Aggregates events from all sources;
- Unrecovered Events: Displays events that have not been recovered in the last 48 hours in the current workspace (
df_status !=ok); - Change Events: Records operational activities in Kubernetes clusters that differ from expected patterns;
- Intelligent Monitoring Events: Includes all events triggered by intelligent monitoring rules.
Event Content¶
Taking events triggered by monitor rules as an example, the event content is primarily based on the information filled in at Create > Event Notification.
As shown below, the event title is defined as Log Detection - Multiple Indices, and the event content includes a DQL query statement and variables. The system generates and displays the final results based on actual monitoring data.
When an anomaly is detected by the rule, you can view the relevant event content in Event > Event Details.
Event Fields¶
The final event record will include the following fields:
Field |
Description |
|---|---|
date / timestamp |
Time of occurrence. Unit: seconds |
df_date_range |
Time range. Unit: seconds |
df_check_range_start |
Start time of the detection range. Unit: seconds |
df_check_range_end |
End time of the detection range. Unit: seconds |
df_issue_start_time |
Time of the first occurrence of the fault in this round. Unit: seconds |
df_issue_duration |
Duration of the fault in this round, in seconds (from df_issue_start_time to this event) |
df_source |
Event source. Includes monitor, user, system, custom, audit |
df_status |
Event status. Includes ok, info, warning, error, critical, nodata, nodata_ok, nodata_as_ok, manual_ok |
df_sub_status |
Event detail status (as a supplement to df_status) |
df_event_id |
Unique event ID |
df_title |
Title |
df_message |
Description |
- When
df_source = monitor, the following additional fields exist:
Field |
Description |
|---|---|
df_dimension_tags |
Detection dimension tags, such as {"host":"web01"} |
df_monitor_id |
Alert policy ID |
df_monitor_name |
Alert policy name |
df_monitor_type |
Type: custom for custom monitoring events, slo for SLO events, and bot_obs for intelligent inspection events |
df_monitor_checker |
Execution function name, such as custom_metric |
df_monitor_checker_sub |
Detection phase: nodata for data outage detection phase, check for normal detection phase |
df_monitor_checker_id |
Monitor ID |
df_monitor_checker_name |
Monitor name |
df_monitor_checker_value |
Anomaly value at the time of event occurrence |
df_monitor_checker_value_dumps |
Anomaly value at the time of event occurrence (JSON serialized) Convenient for users to deserialize and obtain the original value |
df_monitor_checker_value_with_unit |
Anomaly value at the time of event occurrence (optimal unit) |
df_monitor_checker_ref |
Monitor association, only associated with fields related to the DQL statement in the detection configuration |
df_monitor_checker_event_ref |
Monitor event association, only associated with df_dimension_tags and df_monitor_checker_id |
df_monitor_ref_key |
Association key for self-built inspections, used to correspond with self-built inspections |
df_fault_id |
Fault ID for this round, taken from the df_event_id of the first fault event |
df_fault_status |
Fault status for this round, redundant field for df_status, df_sub_status, marking whether it is OK, values as follows:ok: normal fault: fault |
df_fault_start_time |
Start time of the fault in this round. |
df_fault_duration |
Duration of the fault in this round, in seconds (from df_issue_start_time to this event) |
df_event_detail |
Event detection details |
df_event_report |
Intelligent monitoring report data |
df_user_id |
User ID of the operator when manually recovered |
df_user_name |
Username of the operator when manually recovered |
df_user_email |
Email of the operator when manually recovered |
df_crontab_exec_mode |
Execution mode, optional values.crontab manual |
df_site_name |
Current TrueWatch site name |
df_workspace_name |
Workspace name |
df_workspace_uuid |
Workspace UUID |
df_label |
Monitor label, labels specified in the monitor are stored in this field UUID |
df_alert_policy_ids |
Alert policy IDs (list) |
df_alert_policy_names |
Alert policy names (list) |
df_matched_alert_policy_rules |
Alert policy names and all matched rule names (list) |
df_channels |
List of incident channels to which the event belongs |
df_at_accounts |
@ account information |
df_at_accounts_nodata |
@ account information (data outage) |
df_message_at_accounts |
Detailed list of @ users in fault alert messages |
df_nodata_message_at_accounts |
Detailed list of @ users in data outage alert messages |
df_workspace_declaration |
Attribute claims of the workspace |
df_matched_alert_members |
List of all matched alert notification members when selecting to send by member |
df_matched_alert_upgrade_members |
List of all matched alert upgrade notification members when selecting to send by member |
df_matched_alert_member_groups |
List of all matched member group names when selecting to send by member |
df_charts |
Chart information appended when the monitor configuration includes charts and this alert event requires message sending |
df_alert_info |
Records alert notification information |
df_is_silent |
Whether the event is muted, values are strings "true" / "false" |
df_sent_target_types |
List of non-duplicate alert notification target types to which this event has been sent |
df_check_targets |
Records detection time and detection metrics in the monitor configuration |
df_check_condition、df_check_condition_expr |
Records trigger rules in the monitor configuration |
df_check_rules |
Records detection count and detection rules in the monitor configuration |
df_check_targets |
Records detection time and detection metrics in the monitor configuration |
df_check_condition |
Records trigger rules in the monitor configuration |
df_check_interval |
Records detection frequency in the monitor configuration |
df_fault_end_time |
Records fault recovery time |
- When
df_source = audit, the following additional fields exist:
| Field | Description |
|---|---|
df_user_id |
Operator user ID |
df_user_name |
Operator username |
df_user_email |
Operator email |
| {Other fields} | Other fields based on specific audit data requirements |
- When
df_source = user, the following additional fields exist:
| Field | Description |
|---|---|
df_user_id |
Creator user ID |
df_user_name |
Creator username |
df_user_email |
Creator email |
| {Other fields} | Other fields generated by user operations |