Range Detection¶
In the selected time range, the system will perform anomaly detection on Metrics data. If the proportion of sudden anomalies in the detected data points exceeds the preset threshold percentage, a range anomaly event will be triggered.
Use Cases¶
Applied to monitor data/Metrics with stable trends. For example, detect when the proportion of sudden anomaly data points in HOST CPU usage exceeds 10% in the last 1 day, and generate an anomaly event.
Configuration¶
Detection Frequency¶
The execution frequency of the detection rule, automatically matching the selected detection range.
Detection Range¶
The time range for querying Metrics each time the task is executed.
| Detection Range (Dropdown Options) | Detection Frequency |
|---|---|
| 15m | 5m |
| 30m | 5m |
| 1h | 15m |
| 4h | 30m |
| 12h | 1h |
| 1d | 1h |
Detection Metrics¶
The Metrics data being monitored.
| Field | Description |
|---|---|
| Data Type | The current data type being detected, including Metrics, LOG, Infrastructure, Resource Catalog, Events, APM, RUM, NETWORK, and Profile. |
| Measurement | The Measurement where the current detection Metrics are located. |
| Metric | The Metric targeted by the current detection. |
| Aggregation Algorithm | Includes Avg by (average), Min by (minimum), Max by (maximum), Sum by (sum), Last (last value), First by (first value), Count by (number of data points), Count_distinct by (number of distinct data points), p50 (median), p75 (75th percentile), p90 (90th percentile), p99 (99th percentile). |
| Detection Dimensions | Any string type (keyword) fields in the configuration data can be selected as detection dimensions. Currently, up to three fields can be selected as detection dimensions. By combining multiple detection dimension fields, a specific detection object can be determined. The system will determine whether the statistical Metrics of a detection object meet the threshold of the trigger conditions. If the conditions are met, an event will be generated.(For example, selecting detection dimensions host and host_ip, the detection object can be {host: host1, host_ip: 127.0.0.1}). |
| Filter Conditions | Filter the data of the detection Metrics based on the labels of the Metrics, limiting the data range for detection; supports adding one or more label filters; supports fuzzy matching and fuzzy non-matching filter conditions. |
| Alias | Custom detection Metric name. |
| Query Method | Supports simple query and expression query. |
Trigger Conditions¶
Set the trigger conditions for alert levels: You can configure any one of the trigger conditions for Emergency, Important, Warning, or Normal. Supports three forms of data comparison: Up (data increases), Down (data decreases), Up or Down.
Configure trigger conditions and severity. When the query result has multiple values, any value that meets the trigger conditions will generate an event.
For more details, refer to Event Level Description.
Alert Levels
-
Alert Levels Emergency (red), Important (orange), Warning (yellow): Based on the configured condition judgment operators.
-
Alert Level Normal (green): Based on the configured number of detections, explained as follows:
- Each execution of a detection task counts as 1 detection. For example, if
Detection Frequency = 5 minutes, then 1 detection = 5 minutes; - You can customize the number of detections. For example, if
Detection Frequency = 5 minutes, then 3 detections = 15 minutes.
Level Description Normal After the detection rule takes effect, if Emergency, Important, or Warning anomaly events are generated, and the data detection result returns to normal within the configured custom number of detections, a recovery alert event will be generated.
Recovery alert events are not restricted by Alert Silence. If the number of detections for recovery alert events is not set, the alert event will not recover and will always appear in the Events > Unrecovered Events List. - Each execution of a detection task counts as 1 detection. For example, if
Data Gap¶
For data gap status, seven strategies can be configured.
-
Link to the detection range time range, judge the query result of the detection Metrics in the most recent minutes, do not trigger an event;
-
Link to the detection range time range, judge the query result of the detection Metrics in the most recent minutes, treat the query result as 0; at this time, the query result will be re-compared with the threshold configured in the Trigger Conditions above to determine whether to trigger an anomaly event.
-
Custom fill the detection range value, trigger data gap event, trigger emergency event, trigger important event, trigger warning event, and trigger recovery event; for this type of configuration strategy, it is recommended to configure the custom data gap time >= detection range time interval. If the configured time <= detection range time interval, there may be cases where both data gap and anomaly conditions are met simultaneously. In this case, only the data gap processing result will be applied.
Information Generation¶
Enable this option to generate "Information" events for detection results that do not match the above trigger conditions.
Note
If trigger conditions, data gap, and information generation are configured simultaneously, the triggering priority is judged as follows: data gap > trigger conditions > information event generation.
Other Configurations¶
For more details, refer to Rule Configuration.