Interval Detection V2¶
The interval detection of Version 2 constructs confidence intervals using historical data to predict normal fluctuation ranges. The system compares current data characteristics with historical data to determine whether they exceed the confidence interval, thereby identifying anomalies and triggering alerts to ensure data stability and security.
Main Features:
- In-depth analysis: Confidence intervals are built based on historical data to predict normal fluctuations.
- Continuous updates: Continuously updated by TrueWatch algorithm team, enhancing data processing capabilities.
Concepts¶
Confidence interval range (confidence_interval): This is a metric that measures the tolerance for data fluctuations within a specific detection time window. The value ranges between 1% and 100%. When the data volatility and randomness are high, this value can be appropriately increased; when the data fluctuates regularly, it can be reduced. If the confidence interval is too large, the upper and lower bounds become wider, which reduces the number of detected anomalies; if the confidence interval is too small, it may detect excessive anomalies; if the confidence interval is too large, no anomalies might be detected at all.
Therefore, adjusting this parameter reasonably according to the fluctuation characteristics of the data is crucial to balance the sensitivity and accuracy of anomaly detection. It effectively avoids over-reporting or missing anomalies.
Legend:
Detection Configuration¶
Detection Frequency¶
This refers to the execution frequency of the detection rule, which defaults to 10 minutes and cannot be changed.
Detection Metrics¶
This indicates the metrics data being monitored.
| Field | Description |
|---|---|
| Data Type | The data type currently being detected, including metrics, APM, RUM data. |
| Measurement | The measurement where the currently detected metric resides. |
| Metric | The metric currently being detected. |
| Aggregation Algorithm | Includes Avg by (average), Min by (minimum), Max by (maximum), Sum by (sum), Last (last value), First by (first value), Count by (number of data points), Count_distinct by (number of distinct data points), p50 (median value), p75 (value at 75%), p90 (value at 90%), p99 (value at 99%). |
| Detection Dimensions | Any string-type (keyword) fields in the configuration data can be selected as detection dimensions. Currently, up to three fields can be selected as detection dimensions. By combining multiple dimension fields, a definite detection object can be determined. TrueWatch will determine whether the statistical metrics of a certain detection object meet the threshold conditions for triggering an event. If so, an event will be generated.For example, selecting host and host_ip as detection dimensions, the detection object could be {host: host1, host_ip: 127.0.0.1} |
| Filter Conditions | Filtering the data of the detected metrics based on the tags of the metric to limit the scope of detection; one or more tag filters can be added; supports fuzzy matching and non-matching filtering conditions. |
| Alias | Custom name for the detected metric. |
| Query Method | Supports simple queries and expression-based queries. |
Trigger Conditions¶
Set trigger conditions for alert levels: You can configure any of the following trigger conditions - Emergency, Critical, Warning, or Normal. It supports three types of data comparisons: upward (data increase), downward (data decrease), or either upward or downward.
Configure trigger conditions and severity levels. When query results return multiple values, an event will be triggered if any value meets the condition.
For more details, refer to Event Level Description.
Alert Levels
-
Alert Levels - Emergency (Red), Critical (Orange), Warning (Yellow): Based on configured conditional operators.
-
Alert Level - Normal (Green): Based on the configured number of detections, explained as follows:
- Each execution of a detection task counts as one detection. For example, if
Detection Frequency = 5 minutes, then 1 detection equals 5 minutes; - You can customize the number of detections. For instance, if
Detection Frequency = 5 minutes, then 3 detections equal 15 minutes.
Level Description Normal After the detection rule becomes effective, if emergency, critical, or warning events occur, and within the configured number of custom detections the data returns to normal, a recovery alert event will be generated.
Recovery alert events are not subject to alert mute settings. If no detection count is set for recovery alert events, the alert event will not recover and will remain listed under Events > Unrecovered Events List. - Each execution of a detection task counts as one detection. For example, if
Data Gap Handling¶
Seven strategies can be configured for handling data gaps.
-
Cooperate with the detection interval time range, analyze the query result of the most recent minute for the detected metric, do not trigger an event;
-
Cooperate with the detection interval time range, analyze the query result of the most recent minute for the detected metric, treat query result as 0; At this point, the query result will be re-compared with the thresholds configured in the Trigger Conditions above to determine whether an anomaly event should be triggered.
-
Customize filling for the detection interval value, trigger a data gap event, trigger an emergency event, trigger a critical event, trigger a warning event, and trigger a recovery event; Choosing this configuration strategy, the recommended custom data gap time setting is >= detection interval duration. If the configured time is <= the detection interval duration, there may be situations where both data gaps and anomalies are satisfied simultaneously. In such cases, only the data gap handling result will be applied.
Information Generation¶
Enabling this option will generate "Information" level events from detection results that do not match any of the above trigger conditions.
Note
When configuring trigger conditions, data gaps, and information generation simultaneously, the triggering priority is as follows: Data Gap > Trigger Condition > Information Event Generation.
Other Configurations¶
For more details, please refer to Rule Configuration.