The anomaly detector examines the time-based data in the log records in the specified time interval according to the defined queries and filters, and detects anomalies that fall within the threshold value.

Actions can be added if an anomaly is detected.

In this context, an anomaly will be considered if the number of erroneous requests on a selected proxy has increased by 50% in the last 1 hour. 

Generating General Description of Anomaly Detector

In the first step, the descriptive information of the job is entered. The most important area here is the environment information option. Query and filters are run on the log server in the selected environment information.


Creating a Query

Expected states are created by combining the query with certain fields (HTTP Method, Error Type, etc.) that will match the log records and criteria and/or/not types.

To create a new query, click the New Query button in the Query section.


The query created when the Save button is clicked is added to the job being defined.


Click to go to the Queries screen where all queries are managed and to get detailed information.

Creating a Filter

Filters are applied with queries. Contains the criteria that log records will match.

To create a new filter, it is created from the Filter section.



The filter created when the Save button is clicked is added to the job being defined.


Click to go to the Filters screen where all filters are managed and to get detailed information.

Conditions

In the following condition, 'count of documents' will look at the number of requests. It will check if there is an increase of more than 50% compared to the average.

In this case, '1 Result' indicates that if the anomaly occurs even a single time, it will be considered an anomaly.


Actions

We can create a warning system when an anomaly is detected. In this example, we will send an e-mail when an anomaly occurs.

In the 'Server' field, you can add a new mail connection information or select an existing one. The e-mail is saved by entering the address, subject and message to be sent.

Click to get information about the types of actions, the use of the action and the variables in the task.


Save

In the final state, the information will look like below and we can make it ready for viewing with the save button.


Examining the Details of the Job

You can check it with the Result option.


If an error is received, it may be necessary to find the reason for it, or if it is desired to examine the general log records of the process and make filtering on them, the detail page of the monitor record should be visited.

Detailed information can be obtained by clicking the detail icon in the relevant log record.