startree-mean-variance-query-dx

startree-mean-variance-query-dx

Description

Detect an anomaly if the metric is not in mean ± n*std. mean and std (standard deviation) are estimated with historical data. The amount of historical data to use is set with the lookback property. Aggregation function with 1 operand: SUM, MAX,etc... Use the enumeratorQuery property to feed in a query that outputs different dimensions to explore.

Flowchart

Parameters

DATA

namedescriptiondefault value
dataSourceThe Pinot datasource to use.-
datasetThe dataset to query.-
aggregationColumnThe column to aggregate. Can be a derived metric.-
aggregationFunctionThe aggregation function to apply on the aggregationColumn. Example: AVG.-
monitoringGranularityThe period of aggregation of the timeseries. In ISO-8601 format. Example: PT1H.-
timezoneTimezone used to group by time. In TZ-identifier (opens in a new tab) format.

For instance, UTC or US/Pacific.
UTC
timeColumnTimeColumn used to group by time. If set to AUTO (the default value), the Pinot primary time column is used.AUTO
timeColumnFormatRequired if timeColumn is not AUTO. Learn more (opens in a new tab).
completenessDelayThe time for your data to be considered complete and ready for anomaly detection. In ISO-8601 format. Example: PT2H. Learn more (opens in a new tab).P0D
queryFiltersFilters to apply when fetching data. Prefix with AND. Example: AND country='US'${queryFilters}
queryLimitMaximum number of timeseries point to fetch.100000000

DETECTION

namedescriptiondefault value
lookbackHistorical time period to use to train the model. In ISO-8601 format. Example: P21D.-
sensitivityThe sensitivity of the model. The smaller, the less anomaly are detected.-
patternWhether to detect an anomaly if it's a drop, a spike or any of the two.UP_OR_DOWN
seasonalityPeriodSeasonality to consider when computing mean and variance. Possible values are P7D (weekly and smaller periods), P1D (daily and smaller periods), PT0S (no seasonality). Eg: with P7D, a Monday 12 AM value will be estimated from the mean and variance of the previous Monday 12 AM values.PT0S

FILTER

Time of week

namedescriptiondefault value
daysOfWeekUsed to ignore anomalies that happen at specific time periods. A list of days. Anomalies happening on these days are ignored if timeOfWeekIgnore is true. Example: ["MONDAY", "SUNDAY"].[]
hoursOfDayUsed to ignore anomalies that happen at specific time periods. A list of hours. Anomalies happening on these hours are ignored. Example: [0,1,2,23][]
dayHoursOfWeekUsed to ignore anomalies that happen at specific time periods. A mapping of {DAY: [hours]}. Anomalies happening on these timeframes are ignored if timeOfWeekIgnore is true. Example: {"FRIDAY": [22, 23], "SATURDAY": [0, 1, 2]}{}

Threshold

namedescriptiondefault value
thresholdFilterMinUsed to ignore anomalies that don't meet the thresholdFilter min and max. Example: set thresholdFilterMin = 10 to ignore anomalies when the metric is smaller than 10. Can help ignore anomalies happening in low data regimes. Filter threshold minimum. If -1, no minimum threshold is applied.-1
thresholdFilterMaxUsed to ignore anomalies that don't meet the thresholdFilter min and max. Example: set thresholdFilterMin = 10 to ignore anomalies when the metric is smaller than 10. Can help ignore anomalies happening in low data regimes. Filter threshold maximum. If -1, no maximum threshold is applied.-1

Guardrail metric

namedescriptiondefault value
guardrailMetricMinUsed to ignore anomalies that don't meet the guardrail threshold. Minimum threshold of the guardrail metric. If -1, no minimum threshold is applied.-1
guardrailMetricMaxUsed to ignore anomalies that don't meet the guardrail threshold. Maximum threshold of guardrailMetric. If -1, no maximum threshold is applied.-1
guardrailMetricUsed to ignore anomalies that don't meet the guardrail threshold. Metric to use as a threshold guardrail. Example: COUNT(*) and set guardrailMetricMin = 100 to ignore anomalies detected when there is less than 100 observations in the period.COUNT(*)

Special events

namedescriptiondefault value
eventFilterSqlFilterUsed to ignore anomalies that happen during events. Sql filter to apply on the events. Learn more (opens in a new tab)
eventFilterLookaroundUsed to ignore anomalies that happen during events. Offset to apply on startTime and endTime to look around the timeframe. In ISO-8601 format. Example: P1D.P2D
eventFilterTypesUsed to ignore anomalies that happen during events. List of event types to fetch by. Example: ["HOLIDAY", "DEPLOYMENT"]. [] fetches all events. Use ["__NO_EVENTS"] to disable.['__NO_EVENTS']
eventFilterBeforeEventMarginUsed to ignore anomalies that happen during events. A period in ISO-8601 format that corresponds to a period that is also impacted by the event. Example: if beforeEventMargin is P1D, if event happens on [Dec 24 0:00, Dec 25 0:00[, the label will be applied to anomalies happening on [Dec 23 0:00 and Dec 25 0:00[P0D
eventFilterAfterEventMarginUsed to ignore anomalies that happen during events. Same as eventFilterBeforeEventMargin at the end of the event.P0D

POSTPROCESS

Data mutability

namedescriptiondefault value
mutabilityPeriodUse if your data is mutable. ThirdEye will maintain the detection results up to date on the mutable period. For instance, if your last 10 days of data is mutable, set P10D. At each cron detection job, the detection results for the last 10 days will be updated.P0D
reNotifyPercentageThresholdFor detection replay when data is mutable. If the percentage difference between an existing anomaly and a new anomaly on the same time frame is above this threshold, renotify. Combined with reNotifyAbsoluteThreshold. Both thresholds must pass to be re-notified. If zero, always renotify. If null or negative, never re-notifies.-1
reNotifyAbsoluteThresholdFor detection replay when data is mutable. If the absolute difference between an existing anomaly and a new anomaly on the same time frame is above this threshold, renotify. Combined with reNotifyPercentageThreshold. Both thresholds must pass to be re-notified. If zero, always renotify. If null or negative, never re-notifies.-1

Anomaly merger

namedescriptiondefault value
mergeMaxGapMaximum gap between 2 anomalies for anomalies to be merged. In ISO-8601 format. Example: PT2H. The default behavior is to merge consecutive anomalies only. To disable anomaly merging entirely, set this value to P0D.
mergeMaxDurationMaximum duration of an anomaly merger. At merge time, if an anomaly merger would get bigger than this limit, the anomalies are not merged. In ISO-8601 format. Example: P7D.

RCA

namedescriptiondefault value
rcaAggregationFunctionThe aggregation function to use for RCA. If the detection metric name is known to ThirdEye, this parameter is optional.
rcaIncludedDimensionsList of the dimensions (columns in the dataset) to use in RCA drill-downs. If not set or empty, all dimensions of the table are used. Learn more (opens in a new tab).[]
rcaExcludedDimensionsList of dimensions (columns in the dataset) to ignore in RCA drill-downs. If not set or empty, all dimensions of the table are used. rcaExcludedDimensions and rcaIncludedDimensions cannot be used at the same time.[]
rcaEventTypesA list of type to filter on for RCA. Only events that match such types will be shown in the RCA related events tab. Learn more (opens in a new tab).[]
rcaEventSqlFilterA Sql filter for RCA events. Only events that match the filter will be shown in the RCA related events tab. Learn more (opens in a new tab).

DIMENSION_EXPLORATION

namedescriptiondefault value
enumeratorQueryThis is a SQL query that will run on the data source and build enumeration items from that queryExample: "SELECT DISTINCT country, device from pageviews LIMIT 100". In this case, the enumerator will generate one enumeration item for each country/device combination.-
enumerationItemIdKeysList of keys to use to identify the enumeration.

The format is the following:

[

"queryFilters"

]



The keys must be present in the params object of each enumeration.

The keys will be used to generate the dimension exploration id.

The id will be used to identify the enumeration in the detection pipeline.
['queryFilters']