Skip to content

Anomaly detection alerts

Open in ChatGPT Open in Claude

An anomaly detection alert learns the expected behavior of a log query from recent history and fires when the live count deviates from that baseline. Use it when normal behavior shifts over time and a fixed threshold would either miss real problems or fire constantly: a transaction whose response time exceeds its usual duration, or a host whose outbound traffic climbs above its normal level, signalling a possible breach.

Anomaly detection runs on the Coralogix Streama© technology, evaluating directly on the monitoring pipeline without prior indexing.

What you need

  • Access to Coralogix with permission to create alerts
  • A log query with enough history to learn a baseline (see Data requirements)

Define the query

In the alert creation wizard, the Query step is where you select the alert type and describe the signal whose baseline Coralogix learns.

  1. Go to Alerts, then select Create alert.
  2. In the Query step, select Anomaly as the alert type.
  3. Write the Lucene query that returns the logs you want to monitor, and narrow it with filters such as application, subsystem, or severity.

The query defines the data the model learns from. The machine-learning model builds a baseline for this signal and compares each evaluation against it.

Set the condition

In the Condition step, you define how far from the baseline a count must move to trigger the alert.

  • Deviation direction: trigger when the count is more than usual or less than usual compared to the learned baseline.
  • Deviation sensitivity: tune how large a deviation must be before the alert fires. See Anomaly sensitivity.
  • Group by: add one or more group-by keys to evaluate each combination separately. The model establishes a baseline for every group-by key, and the alert fires when a key's count deviates from its own baseline.
  • Advanced configurations: optionally add a custom evaluation delay to absorb late-arriving data.

You can add multiple conditions to a single alert. See Multiple alert conditions.

Route and name the alert

Set routing and naming in the alert creation wizard Notification and Details steps. When everything is in place, select Create alert.

Data requirements

Anomaly detection requires sufficient historical data to establish a reliable baseline.

  • The model trains on the previous 7 days of log data.
  • At least 90% of this 7-day period must contain data.
  • If the log source already has 7+ days of history when you create the alert, the alert becomes active within approximately 24 hours after the next daily model build.
  • Creating a new anomaly detection alert
  • Changing the query or filter
  • Changing core condition logic that defines the data being modeled
  • Changing the deviation percentage or sensitivity
  • Changing notification settings, labels, or suppression rules
  • Changing the alert name or priority

Plan changes to the query carefully. Editing the query retrains the model and leaves the alert inactive for the duration of the new learning period.

Limitations

The machine-learning model establishes a baseline for every group-by key in your alert definition. It is applied daily for the next 24 hours, using data from the past 7 days, and is based on a maximum of 500 permutations.

Anomaly sensitivityConfigure alert definitionNotification CenterCases

Next steps

Monitor specific datasets for threshold conditions with Dataset alerts.

Need help? Contact Support.
What's new? Find out here.
LLM? Read llms.txt.
Previous Metrics-based query
Next Dataset alerts