Anomaly Metrics

Anomaly metrics in the Edge Delta web application.

  6 minute read  

Beta

Overview

The Metrics - Anomalies page displays pattern-based anomalies, which comes from the configurations of your monitors, processors, and Kubernetes environment.

Filter Data

You can filter data on the Metrics page:

To specify the lookback period, click Lookback.

  • To view data for a generic time frame, such as 1 hour, 4 hours, 1 day, etc, click Relative.
  • To view data for a specific time frame, such as from February 1, 2022, at 1:15PM to February 7, 2022, at 1:14PM, click Custom.

In the Filters pane, filter by Agent Tag, Source Type, Source and Host.

Above the Insights graph there are additional filters:

  • Group By: This option allows you to filter data based on data sources. The listed data sources are based on the selected tag and source type.

  • Previous Period: This option will display an icon (a triangle) in the graph to indicate if detection for the signal, finding, or event increased or decreased in the previous lookback period.

  • 7d Prior: This option will display an icon (an inverted triangle) in the graph to indicate if detection for the signal, finding, or event increased or decreased in the previous week.

  • 24h Prior: This option will display an icon (a square) in the graph to indicate if detection for the signal, finding, or event increased or decreased in the previous day.

Insights and Anomalies Graph

The insights and anomalies graph can switch between a Timeline graph and a Bar graph. It can also filter on Monitor Findings, Processor Signals, and Kubernetes Events:

Bar Graph

  • Name: This data represents the name of the processor whose configuration triggered the signal.
  • Count: This data represents the number of times that the signal was triggered.
  • Timestamp: This data represents the date and time when the signal was triggered.

Timeline Graphs

Processor Signals

  • Severity: This data displays a low, medium, and high setting to indicate the severity of a signal. Most signals are considered a medium severity.
  • EDAC: This data represents the unique, internal ID used to reference the signal.
  • Timestamp: This data represents the date and time when the signal was triggered.
  • Rule: This data represents the name of the processor that triggered the signal.

Monitor Findings

  • Severity: This data displays a low, medium, and high setting to indicate the severity of a signal. Most signals are considered a medium severity.
  • Causes: This data represents the monitor or custom metric that triggered the finding.
  • Finding ID: This data represents the unique, internal ID used to reference the finding.
  • Timestamp: This data represents the date and time when the signal was triggered.
  • Rule: This data represents the name of the processor that triggered the signal.

Kubernetes Events

To view events in the graph, you need to select Monitor Findings or Processor Alerts, as well as Kubernetes Events.

  • The green text displays a brief description of the detected event.
  • Timestamp: This data represents the date and time when the signal was triggered.
  • Agent Tag: This data represents the tag associated with the agent configuration that triggered the event.
  • Namespace: This data represents the name of the namespace where the event was detected.
  • Controller Logical Name: This data represents the name of the controller that observed the event.
  • Container Name: This data represents the name of the Kubernetes container where the event was detected.

Findings Graph

The Findings Graph can filter on three data types:

Processor Signals

A signal is a processor-based anomaly. In other words, signals are based on a processor’s configurations. Specifically, when a processor has an anomaly score that is higher than the configured threshold, a signal will be created and displayed on this page. Signals are the most common type of anomaly. To learn more, see Processors.

Monitor Findings

A finding is a monitor-based anomaly. In other words, findings are based on a monitor’s configuration. There are 3 default monitors with every account:

  • Pattern Check: This monitor checks for anomalies in the patterns / clustering behavior.
  • Pattern Skyline: This monitor checks for anomalies in the patterns / clustering behavior.
  • Correlated Finding: This monitor checks for large spikes in the rate of signals. For example, if your account typically experiences 5 anomalies per hour, and 100 anomalies are detected, then a correlated finding will trigger.

To learn more about monitors, see Monitors.

Kubernetes Events

An event is a Kubernetes-based anomaly. By default, Edge Delta consumes Kubernetes system events, and then displays those events on the Insights page.

Processor Signals Table

The Processor Signals table includes the following data:

  • Timestamp: This column displays the date and time that the signal was detected.

  • EDAC (Edge Delta Anomaly Context): This column displays an internal identification, which is also known as a capture ID.

  • Metric: This column displays the metric whose configuration triggered a signal. A metric is configured via a processor.

  • Host: This column displays the host name where the agent is deployed.

  • Tag: This column displays the tag associated with the agent configuration whose configuration triggered the signal.

  • Source: This column displays the source file, directory, or container of the signal.

  • Actions: When you click Actions, the Investigation page opens to view detailed information for the selected signal. This page also displays contextual logs and log patterns.

Monitor Findings Table

The Monitor Findings table includes the following data:

  • Timestamp: This column displays the date and time that the finding was detected.
  • Finding ID: This column displays an internal identification.
  • Cause: This column displays the monitor or custom metric that triggered the finding.
  • Tag: This column displays the tag associated with the agent configuration that triggered the finding.
  • Source: This column displays the source file, directory, or container of the finding.
  • Actions: When you click on Actions, you will be redirected to the Patterns page.This page will be filtered to display data for the tag and source that relates to the selected finding.

ubernetes Events Table

The Kubernetes Events table includes the following data:

  • Timestamp: This column displays the date and time that the event was detected.
  • Event ID: This column displays an internal identification.
  • Description: This column displays a description of the event.
  • Agent Tag: This column displays the tag associated with the agent configuration that triggered the finding.
  • Source: This column displays the source file, directory, or container of the finding.

Disabling Notifications

You can disable (suppress) notifications for a specific finding. You use the Finding Status setting to:

  • Disable notifications for a specific finding
  • No longer display entries of future detections on the Metrics - Anomalies page

By default, in the Edge Delta App, the button to suppress notifications is hidden. As a result, you must enter a URL with the specified finding_ID to view the setting in the app.

Locate a Finding ID

  1. Click Findings in the Signals, Findings, and Events table to filter the table.
  2. Locate the desired finding, and then copy the Finding ID.
  3. Additionally, note the Timestamp information.
  4. In a separate browser window or tab, copy and paste the following URL, replace FINDINGID with the finding_ID you copied:

https://app.edgedelta.com/patterns?pattern_offset=168&pattern_merge_level=Medium&pattern_finding_id=FINDINGID &fb=true&lookback=168h 6. If you receive an error message about an invalid finding _id, click Filters, then expand the date range, and click Apply Filters. If the specified date range does not include when the finding _id was detected, then the finding _id may be considered invalid. 7. Disable Finding Status.