Viewing anomaly events

Anomaly details

From the Monitoring > Events page, you can click the anomaly event icon  to view the Anomaly Details page. The Anomaly Details page shows an anomaly event graph with data points for each metric.

Note: You can customize the Events page table view to show/hide or reorder the columns specific to anomaly events. 

Here is an annotated screenshot of the Anomaly Details page:

You can see the following variate policy details on the page:

1. Variate policy details: Name, Type (Univariate or Multivariate), Severity (Minor, Major, or Critical), Priority, Status (Open or Closed), Occurred (at time stamp), Modified (at time stamp)
2. First metric and graph: 
   • For a multivariate policy, the metric with the highest contribution to the anomaly score is displayed on top. 
   • For a univariate policy, there is only one metric and its graph is displayed.
3. List of all other contributing metrics with a graph for each metric are displayed. 
4. Metric with the least contribution to the anomaly score is displayed at the bottom. 
5. Click Show Non-contributing Metrics to view the non-contributing metrics. This expander is not shown if all the top 10 metrics in the policy are contributing to the anomaly score. For more information, see Understanding multivariate anomaly score.
6. Band of normality: A grey band that helps you to visualize that the data points are within the normal distribution range.
7. Anomaly indicator: Indicates the point at which the anomaly occurred.
8. Anomaly duration indicator: The graphical indicator of the time duration specified in the policy. An anomaly event is generated only if the anomaly persists for the specified duration.
9. Hover texts: Displays the metric and anomaly details in text bubbles.

FAQs about closed anomaly events

How do I know when an anomaly event was closed?

1. From the Events page, select the Closed filter to view the list of all closed events.
2. Click the anomaly event icon to view the Anomaly Details page.
3. Hover over the green color icon to view the event closed time as shown in the annotated screenshot. For more information, see Viewing-event-details.
   

When does an anomaly event gets automatically closed?

If you do any of the following:

• Change the metrics associated with a policy
• Delete a policy
• Delete the PATROL Agent associated with the policy
• Enable the auto-close option in the variate policy settings

Do I need to close an anomaly event manually?

You must close it manually if you have not enabled the auto-close option in the variate policy settings.

Understanding the multivariate anomaly score

In a multivariate policy, all the metrics configured in the policy are analyzed together, and a single anomaly is detected. The anomaly events are displayed in a stacked graphical format.

• If there are more than 10 metrics in the policy, only the top 10 metrics that contribute to the anomaly are displayed in the Anomaly Details page.
• If there are multiple metrics contributing to the anomaly score, they are displayed from highest contributor on top to the least contributor at the bottom. 

• If there are some metrics within the top 10 that are not contributing to the anomaly score, they are contained within an expander (Shown Non-contributing Metrics). You can expand to view those metric details.
  For example, if you have configured a policy with 10 different metrics (as shown in the figure), all of them are analyzed together, and a single anomaly event is generated. All the 10 metrics are analyzed at the same time, and a single anomaly score is computed.
  
  
  
  In this example, the anomaly score for the anomaly event is 1.6976399. The following table shows the contribution from each metric to arrive at the anomaly score:
  
  

  Contributing metrics in the table

  • The metric in row 10 (Total) is a non-contributor as its score is zero.
  • The metric in row 2 (Used) in the table has a spike value of ~ 10.47, but at the same time, all the other metrics are behaving normally. Hence, it is not an anomaly data point.
  • The metrics from rows 5 to 9 in the table are only contributing minimally to the overall abnormality score. However, if a univariate policy is configured with these same metrics (rows 5 to 9), they would have been noted as anomalous points independently. 

  Metric identifier	Metric score	Contributor	Metric graph
  __name__=vmUsed,entityId=a4c0e83f-ac6f-497b-86cd-c646b90d7f89:NUK_Memory: NUK_Memory,hostname=ai-ml-host94.abc.com	0.6220732844489766	✅️
  __name__=Used,entityId=a4c0e83f-ac6f-497b-86cd-c646b90d7f89:NUK_Memory: NUK_Memory,hostname=ai-ml-host94.abc.com	0.5837307306884533	✅️
  __name__=Free,entityId=a4c0e83f-ac6f-497b-86cd-c646b90d7f89:NUK_Memory: NUK_Memory,hostname=ai-ml-host94.abc.com	0.5813340459335296	✅️
  __name__=vmUtilization,entityId=a4c0e83f-ac6f-497b-86cd-c646b90d7f89:NUK_CPU: NUK_CPU,hostname=ai-ml-host94.abc.com	0.0203010773791622	✅️
  __name__=Utilization,entityId=a4c0e83f-ac6f-497b-86cd-c646b90d7f89:NUK_CPU: NUK_CPU,hostname=ai-ml-host94.abc.com	0.005336915030485834	✅️
  __name__=Load,entityId=6ad14b2c-c69f-446c-8053-c0153b0f6043:NUK_CPU: NUK_CPU,hostname=ai-ml-host94.abc.com	0.0013492750500503055	✅️
  __name__=vmUtilization,entityId=6ad14b2c-c69f-446c-8053-c0153b0f6043:NUK_CPU: NUK_CPU,hostname=ml-ai-host84.abc.com	0.0010230399553819848	✅️
  __name__=IdleTime,entityId=6ad14b2c-c69f-446c-8053-c0153b0f6043:NUK_CPU: NUK_CPU,hostname=ai-ml-host94.abc.com	0.0010230394857828524	✅️
  __name__=Utilization,entityId=6ad14b2c-c69f-446c-8053-c0153b0f6043:NUK_CPU: NUK_CPU,hostname=ml-ai-host84.abc.com	0.0002797324774806881	✅️
  __name__=Total,entityId=a4c0e83f-ac6f-497b-86cd-c646b90d7f89:NUK_Memory: NUK_Memory,hostname=ai-ml-host94.abc.com	0.0	❌️