Skip to main content

Anomaly merger rules

In ThirdEye, a detection pipeline runs at a given frequency, defined by the cron value.
Let's consider a pipeline that runs every hour. What happens if an incident lasts 3 hours ?
The detection pipeline will detect an anomaly 3 times, but it is actually the same incident. We want a single anomaly for this.

When ThirdEye detects new anomalies, the following rules are applied:

  1. if a new anomaly happens less than 2 hours after a previous one, merge the anomalies
  2. if an anomaly lasts for more than 7 days, create a new anomaly

The merging rules are configurable in the ANOMALY_MERGER node.

Examples:

  1. Merging anomalies merging anomalies

  2. Creating a new anomaly when the maximum length is reached merging maximum