Anomaly detection alerts
Anomaly detection alerts utilize artificial intelligence algorithms to analyze incoming logs and predict their expected behavior for 24 hours. When a log falls above or below a predefined threshold, something unusual may have occurred, indicating an opportunity for corrective action.
For example, an anomaly detection alert can help you discover when a transaction's response time exceeds its usual duration, allowing you to pinpoint and address performance bottlenecks. Or it can alert you when the outgoing traffic of a host exceeds its usual levels, indicating a potential security breach.
Dynamic alerts are powered by our Streama© technology, which allows them to run on the Coralogix monitoring pipeline at a third of the cost, without prior indexing.
Create an alert
Set up a logs-based anomaly detection alert to notify you if a log exceeds an AI-generated baseline threshold.
Access Alerts, then Alert Management. Click Create Alert.
When defining your alert conditions, select to be alerted when an event is more-than-usual compared to the baseline condition.
Define the alert conditions.
Add one or more group-by keys. An alert is triggered whenever the condition threshold is met for a specific aggregated key within the specified time window. Our machine-learning model establishes the baseline standard for every group-by key.
[Optional] Configure the advanced settings, including custom evaluation delay and percentage deviation.
Finalize the alert setup.
Data requirements
Anomaly detection requires sufficient historical data to establish a reliable baseline.
- The model trains on the previous 7 days of log data.
- At least 90% of this 7-day period must contain data.
- If the log source already has 7+ days of history when you create the alert, the alert becomes active within approximately 24 hours after the next daily model build.
Changes that trigger a new learning period
- Creating a new anomaly detection alert
- Changing the query or filter
- Changing core condition logic that defines the data being modeled
Changes that do not trigger a new learning period
- Changing the deviation percentage or sensitivity
- Changing notification settings, labels, or suppression rules
- Changing the alert name or priority
Plan changes to the query carefully. Editing the query retrains the model and leaves the alert inactive for the duration of the new learning period.
Limitations
The machine-learning model establishes the baseline standard for your logs for every group-by key in your alert definition. It is applied daily for the next 24 hours, using data from the past 7 days, and is based on a maximum of 500 permutations.
Related resources
Next steps
Monitor specific datasets for threshold conditions with Dataset alerts.
Support
Reach our customer success team 24/7 via the in-app chat or by email at [email protected].