Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Anomaly detector #1115

Open
wants to merge 4 commits into
base: master
Choose a base branch
from
Open

Anomaly detector #1115

wants to merge 4 commits into from

Conversation

ruria
Copy link
Contributor

@ruria ruria commented May 21, 2017

Sometimes you don´t know what to check! If one user is infected, number of emails sent goes craizy, or if an error not seen before, your server log may write a bunch of lines, much more than usual... This method can help detecting statistically outliers.

You can use it in the same way to check time series, if your free space change suddenly, why wait to 80% of your disk is full?

@id3a
Copy link

id3a commented May 26, 2017

This is great, Is it possible to filter ?
Taking your example, if your monitored the free space in disk for 2 diferent disks, is it possible to make a rule only for one of them?

@ruria
Copy link
Contributor Author

ruria commented May 26, 2017

You can use "filter:" in the normal way to redefine your query. Even you can use "query_key" to check each one in isolation.

@id3a
Copy link

id3a commented May 26, 2017

I'm trying to use this on cpu percentage. Here are the events
imagem

However I don't have any match with this settings

index: metricbeat-*
name: Example anomaly rule
type: anomaly
anomaly_type: up
value_field: system.cpu.user.pct
alert_on_new_data: false
K: 2
number_windows: 10
ignore_empty_window: true
timeframe:
  minutes: 10
alert:
- "debug"

@ruria
Copy link
Contributor Author

ruria commented May 29, 2017

I think you can improve performance with a filter, something like:

 filter:
 - term:
     metricset.name: "cpu"

Anyway, there was not support for dots in fields names, try a git pull now, and give it a shot.

thanks for testing!

@Dmitry1987
Copy link

This PR looks very interesting! Gotta try.

@jakes44
Copy link
Contributor

jakes44 commented Aug 4, 2017
edited
Loading

Yeah, anybody had success with this? Would definitely want to get this merged if possible... Exactly what I need for use cases at work. Collecting metrics with metricbeat, and this is a great way to trigger alerts based on existing data.

@Dmitry1987
Copy link

@Qmando , what do you think about this PR, do you plan to merge it in one of future versions?

@ruria
Copy link
Contributor Author

ruria commented Aug 7, 2017

There are some bugs we're working on right now. I'll push the patch no later the end of the week.

@ruria
Copy link
Contributor Author

ruria commented Sep 10, 2017
edited
Loading

Sorry for the delay!

@Dmitry1987
Copy link

Wow that's a massive update, awesome job @ruria ! Thank you!

@Paraomao
Copy link

Good!

@vsabelli
Copy link

Hello everybody,

do you have any news about this PR? @ruria @Qmando

@ruria
Copy link
Contributor Author

ruria commented Sep 18, 2019

Can I help @Qmando ?

@nsano-rururu nsano-rururu mentioned this pull request Mar 12, 2022
Closed
@nsano-rururu
Copy link
Contributor

@ruria
Are you planning to make a pull request to elastalert2?
https://github.com/jertel/elastalert2

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
7 participants
@ruria @id3a @Dmitry1987 @jakes44 @Paraomao @vsabelli @nsano-rururu