Gradient alert type
The gradient method triggers an alert every time the aggregated value of a grouped element varies significantly from one grouping period/set to the next. This alert type is similar in concept and execution to the deviation type; they both use deviations from values to trigger alerts, however, they differ in the value they use to calculate the deviation. In the case of the gradient type, it is from the analogous value of the previous period with data while in the deviation type, it is from the median of the values in the same period. See the following picture for a more visual explanation.
This type of alert could be useful when monitoring periodic tasks and their data patterns over time to be informed whenever an aggregated value differs too much from its analogous of the previous period with data.
Keep in mind that these types of alerts aren't triggered when a grouping element has no events in the following period or there is a new value in a grouping element.
What data do I need to create this alert?
To create an alert using this triggering method, your query must group events by at least one grouping key using a time-based option and add an aggregation.
If you did not group, this alert type will not appear for you to select in the alert definition window. If you grouped without the necessary key, used a no time-based option or did not aggregate, the variables will not appear for you to define and a message will inform you about the requirements you still need to meet.
Configuring the alert
After selecting this type of alert, you have to define two variables.
- Threshold: specifies the proportions of the deviation from the previous value, in other words, the upper and lower bound that must be exceeded for an alert to be triggered. Write the desired number.
- Deviation calculation: specifies the method to calculate the deviation from the previous value, in other words, the way in which the threshold will be considered (either as an absolute value or as a percentage). Select the desired option.
The following formulas describe how the deviation is calculated using absolute values or percentages. In both cases,
irepresents each of the values of the grouping period. Select the desired one:
abs(current value - previous value) > threshold
Using an absolute value means that the threshold specified will be considered as the number above and below which the alert will be triggered. For example, if the value of the previous period is 100 and the threshold specified is 50 means that an alert will be triggered if the analogous value of the next period is above 150 and below 50.
When using absolute values it is important to use a threshold that is consistent with the range of values, otherwise you might trigger alerts constantly or hardly ever.
abs(current value - previous value) > threshold / 100 * previous value
Using a percentage means that the threshold specified will be considered as the percentage of the previous value above and below which an alert will be triggered. For example, if the previous value is 200 and the threshold specified is 25 means that an alert will be triggered if the analogous value of the next period is above 250 and below 150.
Using column values in the Summary and Description
The $columnName command used to display column values in the Summary and Description fields can be employed with the columns and properties below. Using a different one will not activate the command and will be interpreted as plain text.
|$eventdate||You can use this column to display the moment in time at which the events that triggered the alert were received.|
|Grouping columns||You can use the columns added as arguments in the grouping operation (for example, the $responseTime command will be valid only if the responseTime column is added as an argument when grouping your data).|
|Aggregation columns||You can use the columns that result from the aggregation operation (for example, the $count command will be valid only if a count aggregation operation is performed and the resultant column is named as count).|
|$difference||Even though it is not a column, it can be used to display the difference in value from one period to the next.|
demo.ecommerce.data table, imagine that you want to receive an alert whenever the number of events received for client IP addresses displaying the 404 status code is 25% higher or lower than the one in the previous 30 minute-period.
First of all, you need to filter your query data using the Equal (eq, =) operation, group your query data by two keys using a time-based option and then aggregate it. Then, you need to open the alert definition window, select the gradient type alert and fill in all the details (pay special attention to the specific settings of this alert type).
To save time, you can copy the following query to reproduce the aforementioned example from the
demo.ecommerce.data sample table and create a gradient type alert.
from demo.ecommerce.data where statusCode = 404 group every 30m by clientIpAddress, statusCode every 30m select count() as count