Anomaly monitors
This section introduces the Monitors tab and explains how to create monitors.
Anomaly monitors allow you to aggregate your event data and compare the results of this aggregation to what can be considered normal for the query. When the results are too much above or below the value that Axiom expects based on the event history, the monitor enters the alert state. The monitor remains in the alert state until the results no longer deviate from the expected value. This can happen without the results returning to their previous level if they stabilize around a new value. An anomaly monitor sends you a notification each time it enters or exits the alert state.
Create anomaly monitor
To create an anomaly monitor, follow these steps:
- Click the Monitors tab, and then click New monitor.
- Click Anomaly monitor.
- Name your monitor and add a description.
- Configure the monitor using the following options:
- The comparison operator is the rule to apply when comparing the results to the expected value. The possible values are above, below, and above or below.
- The tolerance factor controls the sensitivity of the monitor. It defines how much deviation from the expected value to accept without triggering the monitor. It’s a range above and below the expected value. The higher the tolerance factor, the wider this range. When the results of the aggregation stay within this range, the monitor doesn’t trigger. When the results of the aggregation cross this range, the monitor triggers. The tolerance factor can be any positive numeric value.
- The frequency is how often the monitor runs. This is a positive integer number of minutes.
- The range is the time range for your query. This is a positive integer number of minutes. A longer time range allows the anomaly monitor to consider a larger number of datapoints when calculating the expected value.
- Alert on no data triggers the monitor when your query doesn’t return any data. Your query returns no data if no events match your filters and an aggregation used in the query is undefined. For example, you take the average of a field not present in any matching events.
- You can group by attributes when defining your query. By default, your monitor enters the alert state if any of the values returned for the group-by attributes deviate from the expected value, and remains in the alert state until none of the values returned deviates from the expected value. To trigger the monitor separately for each group that deviates from the expected value, enable Notify by group. At most one trigger notification is sent per monitor run. This option only has an effect if the monitor’s query groups by a non-time field.
- Toggle Require seasonality to compare the results to seasonal patterns in your data. For example, your query produces a time series that increases at the same time each morning. Without accounting for seasonality, the monitor compares to recent results only. By toggling Require seasonality, the monitor compares the results to the same time of the previous day or week and only triggers if the results deviate from the expected seasonal pattern.
- Click Add notifier, and then select the notifiers that define how you want to receive notifications for this monitor. For more information, see Notifiers.
- To define your query, use one of the following options:
- To use the visual query builder, click Simple query builder. Click Visualize to select an aggregation method, and then click Run query to preview the results in a chart. The monitor enters the alert state if any points on the chart deviate from the expected value. Optionally, use filters to specify which events to aggregate, and group by fields to split the aggregation across the values of these fields.
- To use Axiom Processing Language (APL), click Advanced query language. Write a query where the final clause uses the
summarize
operator, and then click Run query to preview the results. For more information, see Introduction to APL. If your query returns a chart, the monitor enters the alert state if any points on the chart deviate from the expected value. If your query returns a table, the monitor enters the alert state if any numeric values in the table deviate from the expected value. If your query uses thebin_auto
function, Axiom displays a warning. To ensure that the monitor preview gives an accurate picture of future performance, usebin
rather thanbin_auto
.
- Click Create.
You have created an anomaly monitor. Axiom alerts you when the results from your query are too high or too low compared to what’s expected based on the event history.
In the chart, the red dotted line displays the tolerance range around the expected value over time. When the results of the query cross this range, the monitor triggers.
Examples
For real-world use cases, see Monitor examples.
Was this page helpful?