Anomaly Detection is available only to users with a license to use the feature
Alerts allow you to proactively monitor your environment by notifying you or performing automated actions when certain conditions are met.
There are two methods for creating Devices alerts in ControlUp:
- Static Thresholds: Triggered when a metric hits a fixed numerical value (such as CPU > 90%). For details, read Static Threshold Alerts
- Anomaly Detection: Triggered when ControlUp detects behavior that deviates from a historical baseline.
This article describes Anomaly Detection alerts.
What is Anomaly Detection?
Anomaly Detection analyzes your historical data to identify behavior that deviates from the normal pattern of your environment. This method is particularly useful for metrics that have expected fluctuations throughout the day or week.
Use Anomaly Detection for early warning signs of unusual behavior, while using Static Threshold Alerts for hard limits based on fixed thresholds (for example, 0% free disk space should always be an alert, regardless of historical patterns).
Configure an Anomaly Detection Alert
When creating a new Alert, set the alert Method to Anomaly detection and configure the following:
1. Scope
Define which devices you want the alert to monitor:
- All Devices: Monitors all devices in your organization.
- Selected Group/Tags: Lets you limit the alert to devices in the selected device group, or with at least one of the selected tags.
- Individual Devices: Lets you limit the alert to individual devices by searching for device names.
2. Metric Configuration
- Category: select the data index that contains the metric you want to monitor.
- Metric: Choose the specific metric to monitor.
- Severity: Choose the alert level that will be assigned when an anomaly is detected.
3. Fine-Tuning the Detection
These settings control how sensitive the Anomaly Detection is to deviations:
- Standard Deviation: This defines the width of the "normal" range.
- A lower number makes the alert more sensitive, triggering on smaller deviations.
- A higher number makes the alert less sensitive, triggering only on significant spikes or drops.
- Seasonality: Select the time interval that matches the expected repeating pattern of your data:
- Daily: Each hour is compared to the same hour from the previous day. For example, 10:00–11:00 Monday is compared to 10:00–11:00 on Sunday. Use this for metrics that follow consistent daily patterns to account for differences in business vs. non-business hours.
- Weekly: Each day is compared to the same day from the previous week. For example, Monday is compared to the previous Monday's baseline. Use this for metrics that follow consistent patterns for each day of the week, helping to account for the difference between weekdays and weekends.
- Adaptive: The system adaptively learns new hourly baselines without accounting for any time of day or day of the week. Use this for metrics that are expected to stay consistent. Note that this option will be sensitive and trigger alerts if the metric follows trends based on business vs. non-business hours or weekdays vs. weekends.
- Direction: Choose whether you want to be notified when the metric is higher than normal, lower than normal, or both.
- Example: For CPU load, you likely only want to alert when it is higher than normal. For free disk space, you likely only want to alert when it is lower than normal.
- Trigger an alert when the conditions above are met...: To prevent noise from momentary spikes, set a duration. The alert triggers only if the anomaly persists for the specified duration.
4. Follow-Up Actions and Notifications
When an anomaly is detected, you can trigger a flow from Workflows (our low-code automation engine), or you can send a notification to email addresses.
How to View Anomalies
To see all triggered anomalies, go to the Anomalies tab. There, you can see all detected anomalies, including how long they lasted.
- An anomaly that is still ongoing is counted as an Open Incident.
- An anomaly that has returned to a normal baseline is counted as a Closed Incident.