A situation is a time-related cluster of anomalous events and known events generated by a system.
A situation begins when a system generates an event of relevance. As relevant events are detected, they are appended to an open situation if there is one. When no events have been added for at least 1 minute, the situation ends. New relevant events will then start new situations.
- If the event is an anomaly, the relevance is based on its score.
- If the event is a known, the relevance is based on its classification, which may be Notice or higher.
This topic discusses how you can use the Situations page to investigate and review anomalies that Unomaly detects. The Situations page consists of a timeline, the aggregated score, filtering options, and a list of time-ordered situations.
Investigating with the graph and timerange
The timeline consists of two time series graphs: one depicts the total volume of data, and the other indicates the occurrence of anomalous events.
- As you hover over individual sections of the bars you can see how many events and which frequency of events they correspond to.
- As you scroll down through the list of situations, the graph remains visible. But, you can also choose to hide it by clicking “Collapse”.
Adjusting the time span
The span of the graph can be changed longer and shorter by using the dropdown to select from presets, which include last day, last week, last month; or use the custom option to specify a specific time range.
Jumping back and forward in time
Arrows to the left and right of the graph are buttons that allow you to jump forwards and backwards in the graph with the preserved interval selection. If you are looking at last day and clicking the arrow to the left of the graph it will take you to the previous day.
Zooming in and out on selected time periods
Making selections in the graph dynamically applies a filter for the situations and events that happened in that specific time frame. When making this selection a zoom button will be presented above the graph that enables you to zoom in on that specific part of the graph.
How situations are scored
Every situation has a score (from 1 to 10) that is based on:
- How anomalous the events are.
- How many events there are in the situation.
- How normal the system usually is.
Unomaly recalculates the score as events get added to the situation. This means that a situation can start with a score of 1 (parameter anomaly) and grow into being a score of 9 (never before seen data, multiple events, and so on). The score may be:
- 7 to 10 (red): The situation contains never before seen data and/or known events classified as Critical.
- 4 to 6 (orange): The situation contains never before seen events for this system (but not for the environment) and/or events classified as Warning.
- 1 to 3 (yellow): The situation contains parameter anomalies and/or known events classified as Notice.
The unknown events are highlighted with red on the parts of the events that are anomalous. You can convert events into knowns by adding more context, classification, and descriptions to the events. See “Add knowns to prioritize event scoring”.
Expanding and reviewing events in the situation
The situations list shows you the most significant anomaly in the cluster. To review the underlying events (anomalies and knowns) in the situation, click the situation to expand it.
Filtering for anomalies within situations
When you expand a situation, you will see:
- A summary of the types of anomalies in the situation with a count of how many of each type exist in the cluster.
- A filter box which you can use to run a keyword search for specific events within the situation.
- The list of the events that were clustered into the situation.
You can filter in the situation to find specific events based on the type of anomaly and using keywords in the filter box.
- Click the check boxes in the summary of anomaly types to hide or show matching events in the list. For example, if you have “1 Never before seen”, “29 New parameter”, “1 Frequency spike”; You can hide the “29 New Parameter” anomalies to investigate the other two.
- Run a keyword search for specific events within the situation. For example, you might want to search the anomalies for log events that describe a “failure”.
Review surrounding events
Each situation has a Jump to events button that can help to better understand the situation’s context. The button takes you to the time period in the Events view and lists the surrounding normal and anomalous events.
Closing alerts in situations
If the situation caused an alert, a red exclamation mark displays to the right of the situation in the Situations view. To close the alert, expend the situation and click Close alert. See “Configure actions and notifications”.
Star a situation to review later
You can “Star” a situation to save it and review it later. All starred situations are saved in a default view, named “Starred”.
Did this article help you?
Thank you for the feedback!