Skip to content

Network Data Detection

Current Document Location

This document is the second step in the detection rule configuration process. After configuration is complete, please return to the main document to continue with the third step: Event Notification.

Used to monitor network performance metrics within a workspace, allowing users to set threshold ranges and trigger alerts when metrics exceed these thresholds. Supports configuring alert rules for a single metric and allows customization of alert severity levels.

Data Scope: Supports metric data from data sources netflow and httpflow.

Applicable for monitoring key performance indicators at the network layer. For example:

  • Monitoring network-layer metrics such as TCP connection count, retransmission count, latency, etc., for the netflow data source on hosts.
  • Monitoring application-layer metrics such as request count, error count, error rate, response time, etc., for the httpflow data source.

Detection Configuration

Detection Frequency

Set the time period for executing detection.

  • Preset Options: 1 minute, 5 minutes (default), 15 minutes, 30 minutes, 1 hour, 6 hours, 12 hours, 24 hours

  • Crontab Mode: Click "Switch to Crontab Mode" to configure a custom schedule, supporting periodic task execution based on seconds, minutes, hours, days, months, weeks, etc.

Detection Interval

Set the data time range queried for each detection (❗️The detection interval should be greater than or equal to the detection frequency and should match the actual data reporting period to avoid missed detections or false positives).

Detection Frequency Detection Interval (Dropdown Options)
30s 1m/5m/15m/30m/1h/3h
1m 1m/5m/15m/30m/1h/3h
5m 5m/15m/30m/1h/3h
15m 15m/30m/1h/3h/6h
30m 30m/1h/3h/6h
1h 1h/3h/6h/12h/24h
6h 6h/12h/24h
12h 12h/24h
24h 24h
  • Custom Format: Custom input for detection interval, e.g., 20m (last 20 minutes), 2h (last 2 hours), 1d (last 1 day).

Detection Metrics

Set the metrics for detection data, supporting metrics from all or a single service list within the workspace over a specified time range (❗️Avoid selecting high-cardinality fields as detection dimensions. If configured improperly, overly lenient trigger conditions may cause frequent alerts. The current query maximum return count is 100,000 records).

Configuration Elements

Configuration Item Description
Data Source Supported selections:
netflow: Network flow data (TCP layer metrics)
httpflow: HTTP flow data (application layer metrics)
Metric Displays corresponding metrics based on the selected data source:

netflow metrics:
• Bytes Sent
• Bytes Received
• TCP Delay
• TCP Jitter
• TCP Connection Count
• TCP Retransmission Count
• TCP Close Count

httpflow metrics:
• Request Count
• Error Count
• Error Rate
• Average Response Time
• P99 Response Time
• P95 Response Time
• P75 Response Time
• P50 Response Time
Filter Conditions Filter the data of detection metrics based on metric tags to limit the data scope; supports adding one or multiple tag filters; supports fuzzy match and fuzzy not-match filter conditions.
Detection Dimensions Any string-type (keyword) field in the configuration data can be selected as a detection dimension. Currently, a maximum of three fields can be selected as detection dimensions. By combining multiple detection dimension fields, a specific detection object can be determined. The system will judge whether the statistical metrics corresponding to a detection object meet the threshold of the trigger condition. If the condition is met, an event is generated.

(For example, selecting detection dimensions host and host_ip, the detection object could be {host: host1, host_ip: 127.0.0.1}.)

Trigger Conditions

Configure trigger conditions and severity levels. When the query result contains multiple values, an event is generated if any value meets the trigger condition.

Supports configuring four severity thresholds: Critical, Severe, Important, Warning, and a Normal recovery condition.

Level Configuration Description
Critical When Result >= [value] Highest level alert, requires immediate handling.
Severe When Result >= [value] High-level alert, requires priority handling.
Important When Result >= [value] Medium-level alert, requires attention.
Warning When Result >= [value] Low-level alert, requires monitoring.
Normal [N] consecutive detections without event generation After the detection rule takes effect, if the data detection result changes from abnormal (Critical, Severe, Important, Warning) back to normal within the configured custom number of detection cycles, a recovery alert event is triggered.
❗️ Recovery alert events are not subject to Alert Silence restrictions. If the recovery alert event detection count is not set, the alert event will not recover and will remain in the Events > Unrecovered Events List.

For more details, refer to Event Level Description.

Advanced Options

Consecutive Trigger Judgment

When enabled, events are generated only when the trigger condition is continuously met, avoiding false positives from transient fluctuations (❗️Maximum configuration limit is 10 times).

Bulk Alert Protection

Enabled by default in the system.

When the number of alerts generated in a single detection exceeds a preset threshold, the system automatically switches to a status summary strategy: instead of processing each alert object individually, a small number of summary alerts are generated and pushed based on event status.

This ensures notification timeliness while significantly reducing alert noise and avoiding timeout risks from processing too many alerts.

When this switch is enabled, subsequent event details generated by the monitor after detecting anomalies will not display historical records and related events.

Data Gap

Handling strategy when the detection metric query result is empty within the detection interval:

Option Description
Do Not Trigger Event (Default) Links with the detection interval time range, judges whether to generate an event based on the query results of the detection metric in the last several minutes. Suitable for scenarios where data gaps are allowed.
Treat Query Result as 0 Links with the detection interval time range, treats the query result of the detection metric in the last several minutes as 0, and re-compares it with the thresholds configured in the Trigger Conditions above to determine whether to trigger an abnormal event.
Custom Fill and Trigger Event Supports custom filling of the detection interval value and triggers the following event types respectively: Data Gap Event, Critical Event, Severe Event, Important Event, Warning Event, and Recovery Event.

❗️When choosing this strategy, it is recommended that the configured custom data gap time be ≥ the detection interval time. If the configured time is ≤ the detection interval time, situations where both data gap and anomaly conditions are met may occur. In such cases, the data gap handling result will be applied first.

When trigger conditions, data gap, and information generation are configured simultaneously, the triggering judgment follows this priority: Data Gap > Trigger Conditions > Information Event Generation.

That is: first judge whether there is a data gap, then judge whether the threshold is triggered, and finally judge whether to generate an information event.

Information Generation

When this option is enabled, the system writes all detection results that do not match the above trigger conditions as "Information" events.

Suitable for scenarios requiring recording of normal state changes or low-priority information.

Subsequent Configuration

After completing the above detection configuration, please continue to configure:

  1. Event Notification: Define event title, content, notification members, data gap handling, and associated incidents;

  2. Alert Configuration: Select alert strategies, set notification targets, and mute periods;

  3. Association: Associate dashboards for quick data viewing;

  4. Permissions: Set operation permissions to control who can edit/delete this monitor.