Anomaly Detection

Introduction:

This section is common to all the editions of IT360 - Professional Edition, Enterprise Edition [Probes only] and MSP Edition [Probes only].

Anomaly detection helps you know, if there is a gradual performance degradation, by defining Anomaly Profiles, on Performance metrics. By creating the Anomaly profiles, you can define rules, wherein the current data is compared with the previously reported best data.

For e.g., if the load on the Server increases over a period of time, response time will gradually be affected. By using Anomaly detection, you would be able to detect this performance problem.

How does Anomaly Detection Work?

Anomaly profiles can be created based on the following;

Anomaly Detection Flow Diagram:

anomaly-flow

Top

Baseline Values:

Anomaly happens, when the current set of values don't conform to the baseline range values. Current Attribute values are compared against the reported data in a particular week [Baseline week].

Define Baseline - The Baseline week can be calculated based on the following values;
- Fixed Value: The week where the system has performed very well [there has been less number of alarms] will be chosen as reference/ baseline data range. After choosing the week for baseline comparison, then each day's value will be compared with the corresponding day of the baseline week. For eg. If you choose week 1 of August as baseline week, then every Monday's data will be compared with August week1's Monday values. Another usecase can be for festive time load. Anomaly profiles can be created for Christmas Holiday weekend and the performance metrics can be compared to know how effectively the system has performed.
- Moving Value: Instead of fixing a baseline week, Previous week's reported data can be selected for comparison. Here, the baseline value will be changing according to the previous week's data.
Specify the Anomaly criteria - Set the upper limit and lower limit range, to compare the current data with the baseline values.

Baseline data range will be formed, based on the upper and lower limit values. These values can be used as %, or as hard coded values. For e.g., if the baseline value is 70 and if you had provided 10% as criteria for both upper and lower limits, then the base line range will be between 64 to 77. Similarly, if you had provided the criteria as 10, then the range will be between 60 to 80.
Working - After comparing with the baseline data, if the current hour value does not fall between the upper limit and lower limit values configured, then alarms will be generated.

Lets set Aug 1st week of 2009, as the baseline data range.
Anomaly range is defined as 10% upper limit and 10% lower limit.
The deviation is calculated based on hourly values. So at 11 A.M, Tuesday of the Second Week, the Memory Utilization value will be compared with the values present at 11 AM, Tuesday of the Ist week. If the value deviates from the upper limit or lower limit, then an alarm will be generated.
After creating the Anomaly profile, you have to associate the anomaly profile to the concerned attributes.

Custom Expressions:

Anomaly is detected, when current data doesn't conform to the user defined rules [based on system variables]. For e.g., you can create a rule like Anomaly is to be detected, when the current Last Hour Average Value is greater than twice the Six Hours Moving Average Value. Critical and Warning alarms can be set accordingly.

The system variables that can be used for forming custom expressions are;

Expressions	Meaning
$10D_MVA	Ten Days Moving Average
$LastHourValue	Last Hour Average
$6H_MVA	Six Hours Moving Average
$30D_MVA	Thirty Days Moving Average
$10H_MVA	Ten Hours Moving Average
$7D_MVA	Seven Days Moving Average

Top

Steps to Create an Anomaly Profile based on Baseline values / Custom Expressions:

Follow the below steps to create an Anomaly profile;

Go to 'Admin --> Servers & Applications ->Thresholds'.
Click the Anomaly Profile tab. Click on the given link, under either of the sections 'Anomaly Profile : Baseline Values' or 'Anomaly Profile : Custom Expression'. Click Continue, in the page displayed.

Now, in the Anomaly profile page displayed, enter the below details;
1. Give an Anomaly Profile Name, for the new Anomaly profile, you want to create.
2. Choose the type of baseline calculation, by choosing either of the Baseline Values or Custom Expression values, from the Detect Anomaly Based On field.
3. If you choose Baseline Values, enter the following information;
  - For baseline calculation, Set Baseline Data Range, i.e. choose the week, whose data will be used for baseline calculation. You can choose between the Fixed baseline value [the appropriate week, month and year of Report data], or moving baseline value which is based on the Previous week's data.
  - Define the allowed deviation from the baseline in the Anomaly When field. Alarms can be generated, either based on percentage of upper limit lower limit values, or straightaway on hard coded comparison values. The generated Alarm will be cleared if the value falls in the baseline range [that is checked every hour]. Alarm can be critical or warning.
  - Select the comparison method:
    - The recommended method would be to Compare last hour value directly with baseline value. Here, While comparing, hourly value will be taken into consideration and compared with the baseline value directly.For eg: Say if current time is 10:00 AM , Monday and if baseline date range is week 2. Then week 2 , Monday 10:00 AM value will be taken for comparison and upper and lower limits will be applied as per the user configuration.
    - The other method would be to Compare values based on the corresponding difference with the previous hour. While comparing, the corresponding difference in hourly values would be taken into consideration.
      For eg: If current time is 10:00 AM, we will take the difference between the values at 10:00 AM and 9:00 AM for comparison. A similar approach will be used for getting the baseline values.

If you choose Custom Expression, enter the following information;

Define the Custom expressions in the Anomaly When field; specify the LastHourValue that should be >, <, >=, <=, =, or !=, the given expression [e.g. '(10*$30D_MVA)-($7D_MVA+25)']. Then, click the Generate link. Alarm (either critical or warning) will be generated, if the expression you have entered is satisfied.

Note: Click on the Available System Variables link, to know the different Options for Expressions and the corresponding Meanings (Shown in the below screenshot).

Finally, click 'Create Anomaly profile'.

Top

Steps to Associate an Anomaly Profile and Action with an Attribute:

Follow the steps given below to associate an Anomaly Profile and an action with an attribute;

Click on the My Dashboard tab.
Click the Business Service View link. This lists the Monitors in it.
Click the Monitor, whose attributes, threshold, and actions must be associated. The respective monitor details page is displayed.

Choose the attributes, for which you want to configure alarms. Click on the respective Configure Alarms link.

Threshold Details and Anomaly Details will be listed. Click on the Anomaly Details tab.
To associate an Anomaly profile, select the required Anomaly profile from the Associate Anomaly Profile combo box.
Select the 'Apply to similar monitors' checkbox, to apply the selected Anomaly profile of the chosen attribute to the similar type of existing monitors. For this, do the following;
- Select the required monitor(s), for which you want to apply the selected Anomaly profile, from the Available Monitors list box, and move them to the Selected Monitors list box, by using the <, >>, <, << icons.
Click on Save. The alarm, configured, will be saved.

Note: A particular monitor's health will be made critical and email notification will be sent, only if the user had associated an email action to the health of the dependant attribute.

Top

Anomaly Dashboard:

This dashboard facilitates viewing through all the performance metrics and helps in easy troubleshooting. It helps the user to intuitively scan through the hundreds of performance metrics with ease.

You can access the Anomaly Dashboard in the below stated ways;

From Dashboard:

Click on the My Dashboard tab.

Click the Business Service View link. This lists the Monitors in it.

Click the Monitor, whose Anomaly Dashboard you wish to access.

Click on the Anomaly Dashboard link, to access the Anomaly dashboard.

From 'Alarms' Tab:

Click on the Alarms tab. Under this, all alarms, whose health have turned critical are listed.

Click on Alarm message link of the required monitor, which takes you to the Alarm Details page.

Click on the Anomaly Dashboard icon in Alarm History table. It takes you the Anomaly Dashboard page (Shown below).

In Anomaly Dashboard, You can choose to Show only critical monitors or Show All monitors.

Note: Critical state is based on the Anomaly profile associated to the attribute of the monitor.
Base Metrics: It shows the response time details and all other metrics, by using current time, but you can also customize it by using the icon. You can change the attribute and time. Note: The chosen time is used in all other calculation, such as last hour value, 12 hour average, etc.
Graphs: Last polled is last hour value. Last 12H is last 12 hour average values, in graphical format [ SparkSeries]. 7DH Seg is shown as bar graph [Sparkline]. You can click the values in each column, to view the detailed report.
After associating anomaly profile to an attribute of a monitor, if the profile rule is violated, the monitor becomes critical and background of 12 hour graph will be red in color. By clicking on the column, you can see the detailed report, like when anomaly value was reached, etc.

Note: If the health of any Attribute / Monitor Group / Monitor has turned critical, or if the availability is down, click on the or icon, from the Alarm Details page, to view the root cause analyser.

Top