Customizing Anomaly Detection for Individual Metrics (Advanced)

Moogsoft includes a default set of anomaly detection engines and supported metrics. Each supported metric has a set of anomaly-detection settings that you can configure as needed.

Viewing and editing metric settings

You can view and edit metric settings in two places:

  • Choose Data Config > Ingestion Services and go to the the integration: collector, CloudWatch, etc. Then click Configuration and drill down to the metric of interest.

  • Choose Observe > Metrics, select the metric of interest, and then configure the anomaly detection settings in the data point table on the right.

Before you begin

Before you change the default anomaly-detection settings for any specific metric, you should clearly identify and understand the following:

  • The criteria you want to define for normal and anomalous behavior for the metric of interest,

  • The detection engines and the configuration settings described on this page, and

  • The effects of changing the default anomaly-detection behavior for the metric of interest.

It is also good practice to monitor the affected metric closely after you change the detector to ensure that you are getting the detection behavior you want.

Anomaly Detectors

Moogsoft includes the following detectors.

  • Adaptive detector — Useful for metrics with consistent ranges in normal conditions.

  • Threshold detector — Useful for metrics with fixed thresholds for normal vs. anomalous behavior.

Adaptive detector

The Adaptive detector identifies anomalies based on a statistical calculation against a median absolute deviation, which varies over time and determines the high and low thresholds. This detector is useful for metrics where performance does not deviate widely under normal conditions. For example, you might want to observe a specific server and detect sudden spikes or drops in CPU utilization that indicate possible problems with the OS, platform, or mission-critical apps running on that server.

Most supported metrics in Moogsoft use the Adaptive detector by default.

Threshold detector

The Threshold detector identifies anomalies based on a fixed upper and/or lower threshold. This detector is useful for metrics where you know the thresholds for normal and anomalous behavior for a specific host or platform, and these thresholds do not change over time. For example, suppose you want to identify anomalies in the amount of free physical memory on a specific server. You might define a lower bound of 10%, to signal the server might be running out of memory; and an upper bound of 90%, to indicate possible problems with the mission-critical apps running on that server.

Note

Few metrics use the Threshold detector by default. The criteria for normal and anomalous behavior can be highly variable and dependent on the specific metric, monitored host, and other factors. You should carefully consider the thresholds for the metric and host of interest to avoid false positives and false negatives in the anomaly-detection behavior.