Gradient alert type
- Juan Tomás Alonso Nieto (Unlicensed)
- Borja Moro Moreno
- Sarah Bigault (Deactivated)
Overview
The gradient method triggers an alert every time an aggregated value of a grouped element varies significantly from one grouping period/set to the next. This alert type is similar in concept and execution to the deviation type; they both use deviations from values to trigger alerts, however, they differ in the value they use to calculate the deviation. In the case of the gradient type, it is from the analogous value of the previous period with data while in the deviation type, it is from the median of the values in the same period. See the following picture for a more visual explanation.
This type of alert could be useful when monitoring periodic tasks and their data patterns over time to be informed whenever an aggregated value differs too much from its analogous of the previous period with data.
Keep in mind that these types of alerts aren't triggered when a grouping element has no events in the following period or there is a new value in a grouping element.
What data do I need to create this alert?
To create an alert using this triggering method, your query must group events by at least one grouping key using a time-based option and add an aggregation.
- If you did not group, this alert type will not appear for you to select in the alert definition window.
- If you grouped without the necessary key or used a no time-based option, the alert variables will not appear for you to define and a message will inform you about the requirements you still need to meet.
- If you did not aggregate, you will not have the column you need for the Add a numeric column field (see the following section) and therefore you will not be able to create the alert.
Defining the alert
After selecting this type of alert, you have to define the following variables:
Using column values in the Summary and Description
You can use the $columnName command to display in the Summary and Description fields the column values of the events that triggered the alert. This command can be employed with the names of the columns and properties below. Using a different one will not activate the command and will be interpreted as plain text.
- $eventdate
- $columnName of those resulting from grouping operations.
- $columnName of those resulting from aggregation operations.
- $difference: even though it is not the name of a column, it is a feature that can be used with the rolling alert type to display the difference in value from one period to the next.
In the following query, you could use:
from demo.ecommerce.data where statusCode = 404 group every 30m by method, timeTaken select avg(bytesTransferred) as avgBytesTransferred
$eventdate
$method
$timeTaken
$avgBytesTransferred
$difference
Query example
In the demo.ecommerce.data table, imagine that you want to receive an alert whenever the number of events received for client IP addresses displaying the 404 status code is 25% higher or lower than the one in the previous 30 minute-period.
First of all, you need to filter your query data using the Equal (eq, =) operation, group your query data by two keys using a time-based option and then aggregate it. Then, you need to open the alert definition window, select the gradient type alert and fill in all the details (pay special attention to the specific settings of this alert type).
To save time, you can copy the following query to reproduce the aforementioned example from the demo.ecommerce.data sample table and create a gradient type alert.
from demo.ecommerce.data where statusCode = 404 group every 30m by clientIpAddress, statusCode select count() as count
Related Articles: