Skip to content

Anomaly detection alerts

Detect unusual metric behavior without defining static thresholds. Anomaly detection alerts learn normal patterns from your data and notify you when a metric deviates from expected behavior.

These alerts use artificial intelligence algorithms to analyze incoming metrics and predict expected behavior for 24 hours.

For example, use anomaly detection alerts to identify when a transaction's response time becomes unusually high or when a host's outgoing traffic exceeds typical levels, indicating a potential performance or security issue.

These alerts use Streama technology, which lets them run on the Coralogix monitoring pipeline at a third of the cost, without prior indexing.

Create an alert

Set up a metrics-based anomaly detection alert.

  1. Go to Alerts, then Alert Management.
  2. Select New Alert.
  3. When you define alert conditions, select:
    • More than usual, or
    • Less than usual
  4. Define the alert conditions.
  5. (Optional) Configure advanced settings, including custom evaluation delay and percentage deviation.
  6. Finalize the alert setup.

Data requirements

Anomaly detection requires sufficient historical data to establish a reliable baseline.

  • The model trains on the previous 7 days of metric data.
  • At least 90% of this 7-day period must contain data.
  • This requirement applies to the training data window, not to the alert evaluation window.

If this requirement is not met, the baseline is not created and anomaly detection is not applied.

When the alert becomes active

The 7-day requirement applies to the metric history, not the alert age. If the metric already has more than 7 days of history when you create the alert, the alert becomes active within approximately 24 hours (after the next daily model build). You do not need to wait 7 days from alert creation.

If the metric has less than 7 days of history at alert creation time, the alert becomes active once 7 days of history accumulates.

Changes that trigger a new learning period

Some changes to an alert definition cause the model to retrain, which restarts the 7-day learning period and temporarily disables the alert. Other changes do not affect the model.

Changes that trigger a new learning period:

  • Creating a new anomaly detection alert
  • Changing the metric query, filter, or PromQL expression
  • Changing core condition logic that defines the time series being modeled

Changes that do not trigger a new learning period:

  • Changing the deviation percentage or sensitivity
  • Changing notification settings, labels, or suppression rules
  • Changing the alert name or priority

Plan changes to the metric query carefully. Editing the query retrains the model and leaves the alert inactive for the duration of the new learning period.

Limitations

The machine-learning model establishes the baseline for each group-by key in your alert definition.

  • The baseline is applied daily for the next 24 hours.
  • The model uses data from the past 7 days.
  • The system supports a maximum of 500 permutations per metric.
Anomaly sensitivityConfigure alert definitionNotification Center

Next steps

Set up custom webhook notifications for your metric alerts in Custom webhooks: metric alerts.

Support

Reach our customer success team 24/7 via the in-app chat or by email at [email protected].

Need help? Contact Support.
What's new? Find out here.
LLM? Read llms.txt.
Previous Unique count alerts
Next Custom webhooks: metric alerts