Versions Compared

Old Version 3

changes.mady.by.user Juan Tomás Alonso Nieto

Saved on

compared with

New Version 4

changes.mady.by.user Borja Moro Moreno

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents
maxLevel2
typeflat

...

The deviation method triggers an alert every time an aggregated value of a single grouped element is significantly higher or lower than the median value of all the elements within the same grouping period. This alert type is similar in concept and execution to the gradient type; they both use deviations from values to trigger alerts, however, they differ in the value they use to calculate the deviation. In the case of the deviation type, it is from the median of the values in the same period while in the gradient type, it is from the analogous value of the previous period with data. See the following picture for a more visual explanation.

Image RemovedImage Added

This type of alert could be useful when monitoring periodic tasks and their data patterns to be informed whenever the aggregated values inside a period differ too much from the frequency distribution midpoint.

What data do I need to create this alert?

To create an alert using this triggering method, your query must group events by at least one grouping key using a time-based option and add an aggregation. However, to have meaningful data for the alert, it is necessary to group by at least two keys.

  • If you did not group, this alert type will not appear for you to select in the alert definition window.
  • If you grouped without the necessary key or used a no time-based option, the alert variables will not appear for you to define and a message will inform you about the requirements you still need to meet.
  • If you did not aggregate, you will not have the column you need for the Add a numeric column field (see the following section) and therefore you will not be able to create the alert.

...

The $columnName command used to display column values in the Summary and Description fields can be employed with the columns and properties below. Using a different one will not activate the command and will be interpreted as plain text.

$eventdateYou can use this column to display the moment in time at which the events that triggered the alert were received.
Grouping columnsYou can use the columns added as arguments in the grouping operation (for example, the $responseTime command will be valid only if the responseTime column is added as an argument when grouping your data).
Aggregation columnsYou can use the columns that result from the aggregation operation (for example, the $count command will be valid only if a count aggregation operation is performed and the resultant column is named as count).
$medianEven though it is not a column, it can be used to make reference to the calculated median value from which the deviation is measured.

Query example

In the demo.ecommerce.data table, imagine that you want to receive an alert whenever the number of events received for client IP addresses displaying the 404 status code is 25% higher or lower than the median in every 30 minute-period.

First of all, you need to filter your query data using the Equal (eq, =) operation, group your query data by two keys using a time-based option and then aggregate it. Then, you need to open the alert definition window, select the deviation type alert and fill in all the details (pay special attention to the specific settings of this alert type).

To save time, you can copy the following query to reproduce the aforementioned example from the demo.ecommerce.data sample table and create a deviation type alert.

Code Block
from demo.ecommerce.data
where statusCode = 404
group every 30m by clientIpAddress, statusCode
every 30m
select count() as count

...