Skip to main content

Concept explainer: Anomaly detection models in Moogsoft Cloud

Watch a video on Anomaly Detection Models in Moogsoft Cloud.

Moogsoft anomaly detection works out of the box with no configuration. But let’s take a moment to learn how it works, so should you need to tweak the default settings you can do so to produce the result you want.

Moogsoft starts to detect anomalies as soon as the source data is ingested.

Image1_AnomalyDetection.png

That said, it needs to learn how your data behaves before defining what’s normal and what requires attention.

During the learning period, Moogsoft still generates alerts from anomalies, but will not assign severity. All alerts are assigned the UNKNOWN severity level (purple). The default correlation settings will bundle them into incidents, but the best practice is to ignore the clustering at this stage. You may want to edit the scope in your default correlation engine to filter out alerts with the Unknown severity level.

Image2_LearningPeriod.png

Moogsoft has a default detector setting. But should you desire, you can override the default detection model, and pick a different one.

Detection_model_slide.png

The Adaptive Detector is a dynamic thresholding mechanism and is used for all metrics by default. The Adaptive Detector makes a statistical analysis of data against the running median absolute deviation and determines high and low thresholds. It is not following any set pattern, but rather adjusting to changes when a new pattern emerges, and quickly figures out the new norm.

In this example, notice this (point to the upper left yellow dot) is considered an anomaly while these are not because they happen during a peak time. (show a flat line) If you used a fixed threshold you will not be able to do this.

Image4_AdaptiveDetector.png

Let’s see the adaptive detector at work in the environment we just set up.

Image5_AdaptiveDetectoratwork.png

This one uses the adaptive detector, so the anomaly threshold will change as the data distribution changes over time.

Image9_Threshold.png

The threshold detector is an alternative thresholding mechanism. But rather than constantly calculating the norm, it allows you to set fixed thresholds, and Moogsoft will recognize an anomaly whenever the metric goes out of bounds. You can set an upper threshold,

High_Threshold.png

lower threshold,

Low_Threshold.png

or both.

Both_Thresholds.png

Any changes you make will take effect going forward, but won’t affect historical data.

If you have a metric for which this detection mode works better, you can switch from the adaptive detector to the threshold detector in the metric settings.

Metric_Settings.png

So now we know how Moogsoft identifies anomalies. Now, let’s talk about how it considers the level of anomaly. For each anomaly, Moogsoft will assign a color-coded severity level, so an anomaly that is very far from the norm will have the red critical label. As the level of anomaly lessens, the severity label will change to orange, yellow and blue. And of course, you already know that purple means “unknown” due to the fact that Moogsoft is still learning from the incoming data.

Image10_AnomalyLevel.png

Also, aside from the severity levels, Moogsoft assigns a confidence value for each adaptive detector anomaly. This is unrelated to how severe the anomaly is, but more about how certain Moogsoft is about each detected anomaly being an anomaly.

Image11_ConfidenceValue.png

For the adaptive detector, Moogsoft assigns a confidence value between 0-1 by comparing the given anomaly against all the other anomalies for that metric. So the closer the value is to 1, the more confident you can be that the detected anomaly truly requires your attention.

Now you know the anomaly detectors in Moogsoft.

Thanks for watching!