Unomaly includes two types of frequency anomaly detection that you can enable in the settings tab for Experimental features.

Background

Frequency anomalies refer to algorithms that identify data or events that are changing from its established normal rate. There are two scenarios that we detect and monitor:

  • Events that increase rapidly, for example “connection failure”.
  • Events that stop happening, for example “cron job success”.

We expect these new categories of anomalies to provide a strong signal into impact and improve the way that the product prioritizes and describes situations.

How it works

Learning of frequency patterns

The learning of frequency patterns for events has been available since Unomaly 2.22 and happens automatically in the background. For each event, Unomaly keeps a profile that holds all the information about the event, including: when the event was first and last seen, which parameters in the event are dynamic, and so on.

As part of this feature, we have also added a time series data store that lets Unomaly store a history of the occurrences of each event profile. We designed this to track time series of millions of concurrent events with very low impact to storage, resource requirements, and throughput.

Unomaly algorithms use this time series data to detect frequency spikes (accelerated rate).

We have also added metrics for each event profile that allows Unomaly to detect whether events are periodic or not. When an event is periodic (e.g. the output of a cron job) it is possible to predict when the next occurrence of the event should happen. This learning is then used to detect when events stop happening.

Detection of accelerated events

The acceleration detector focuses on identifying event profiles that are rapidly accelerating. It will discover event profiles that exceed the normal pattern significantly.

Each event profile has a rolling window time series containing the number of events over time (i.e. the rate). Unomaly compares the current rate to the mean historic rate to determine if an event profile is accelerating.

In the example below, the situation includes multiple frequency anomaly log events denoted by the up pointing arrows. Hover the icon to see a graph of the accelerating event volume.

frequency anomalies

Detection of stopping events

The stop detector focuses on identifying event profiles that should be receiving data but isn’t.

The detector only works on periodic events, i.e. events that always occur with the same interval. Sometimes events are dropped on the way before they reach Unomaly (e.g. due to a network issue). Therefore, events that have a short interval (approx. 0-10 minutes) are required to be missing multiple events before a stop is reported. For longer intervals (approx. > 10 minutes), a single event missing will be reported as a stop.

In the example below, we can see that Unomaly detects a missing cron job event that usually happens every 18 minutes approximately. The red line denotes when the first missing event was expected. Hover the icon of the event to see a graph of the event volume.

frequency anomalies

Impact to situation scoring

Both algorithms will influence the score of the situation. Frequency anomalies can have the score between 1 and 7 and will influence the situation score like any other event. Stopping events will always be scored as a 7 (critical).

How to enable experimental features

To enable these experimental features:

frequency anomalies

  1. Go to the Experimental tab in Unomaly Settings.

  2. Select the features you want to enable.

  3. Click Save.

  4. Restart the Unomaly instance.

Send us your feedback

Because these experimental features are still in development, your feedback is highly valuable and will help us to learn more about what you want to see in the final product. Fill out the Unomaly Feedback form and let us know what you think.

Send us your metrics

You can enable daily metrics, which will send usage analytics to developers at Unomaly. These analytics will help us to understand the performance of the instances so that we can continue to improve Unomaly. These analytics do not include log data, only summarized and aggregated numbers for your licensed instances.

To enable this feature in the UI,

  1. Go to the General tab in Unomaly Settings.

  2. Select “Send instance analytics to Unomaly”.

  3. Click Save.