Skip to content

[FEATURE] Add full entity information for AD monitor #1219

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
amitgalitz opened this issue Mar 3, 2025 · 3 comments
Open

[FEATURE] Add full entity information for AD monitor #1219

amitgalitz opened this issue Mar 3, 2025 · 3 comments
Assignees
@amitgalitz
Labels
enhancement New feature or request v3.1.0

Comments

@amitgalitz
Copy link
Member

amitgalitz commented Mar 3, 2025
edited
Loading

Is your feature request related to a problem?
When you create an OpenSearch Monitor on top of an Anomaly Detector, the alert output will generally contain structured information about the detected anomaly. However currently we only look for the max anomaly grade to display in that interval without too much additional information.

Our current search is for the sorted top entity and thats what we use for threshold comparison and what is available for users to pull into the context.

Currently also the default message pre-filling is:

Monitor {{ctx.monitor.name}} just entered alert status. Please investigate the issue.
  - Trigger: {{ctx.trigger.name}}
  - Severity: {{ctx.trigger.severity}}
  - Period start: {{ctx.periodStart}} UTC
  - Period end: {{ctx.periodEnd}} UTC

What solution would you like?
I would like to improve the output capability of a monitor that is created on top of an anomaly detector so we can see at least 10-20 entities in a give interval that have an anomaly and also show the actual and expected value for that an anomaly along with any other information. The output would look like this:

We can add an additional toggle on the frontend to either show just the anomaly with the max grade

Anomaly 1:
Entity: {"name": "error_type", "value": "error16"}, Timestamp: <10:02pm>, actual value: 100, expected value: 10, anomaly grade: 0.7, anomaly confidence: 0.8
Anomaly 2:
Entity: {"name": "error_type", "value": "error17"}, Timestamp: <10:10pm>, actual value: 80, expected value: 11, anomaly grade: 0.7, anomaly confidence: 0.8
Anomaly 3:
Entity: {"name": "error_type", "value": "error18"}, Timestamp: <10:12pm>, actual value: 70, expected value: 12, anomaly grade: 0.7, anomaly confidence: 0.8
@amitgalitz amitgalitz added enhancement New feature or request untriaged labels Mar 3, 2025
@minalsha minalsha added the v3.0.0 label Mar 3, 2025
@kaituo
Copy link
Contributor

kaituo commented Mar 18, 2025

Can you make the entity more reader friendly?

Say error_type:error18

This would make it easier to read when we have multiple categorical fields.

Also, the timestamp is a range, not a point.

@AWSHurneyt
Copy link
Collaborator

so we can see at least 10-20 entities in a give interval

I'm not too familiar with the AD plugin, but something to consider is how large the message size will be if it includes all 10-20 enties.

When we added the sample_documents variables to the ctx object (documentation link), we limited the number of sample docs to 10 (though we'd like to eventually enhance that limit to an action-level setting) as the plugins wouldn't inherently have access to the payload size restrictions of the destination webhook; different webhook providers may have different restrictions.

@krisfreedain
Copy link
Member

Catch All Triage - 1 2

@AWSHurneyt AWSHurneyt added v3.1.0 and removed v3.0.0 labels Apr 14, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@amitgalitz amitgalitz

Labels
enhancement New feature or request v3.1.0
Projects
OpenSearch Roadmap
Status: New
Milestone
No milestone
Development

No branches or pull requests
5 participants
@krisfreedain @kaituo @amitgalitz @AWSHurneyt @minalsha