This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
FAQ
Alerting
Questions about alerting and problem detection in Dynatrace.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Monday morning tip, Davis monitor status value

Go to solution
henk_stobbe
DynaMight Leader
DynaMight Leader

‎16 Mar 2026 08:02 AM

Hello,

 

As long as you can only use higher or lower in Davis anomaly detection, this could be a workaround.

 

testing on status 4:

timeseries myseries = avg(xxx.device.status),by: {`dt.entity.xxx:xxx`} ,interval:1m | filter (arrayLast(myseries) == 4)

The anomaly detection should be like <100 (or more)

 

Who can confirm?

 

KR Henk

 

 

0 Kudos
Reply
3 REPLIES 3

Go to solution
t_pawlak
Leader

‎16 Mar 2026 10:22 AM

Hi Henk,
IMO, this can work only partially, but I would not treat it as a clean or fully reliable workaround.

timeseries myseries = avg(xxx.device.status), by: {`dt.entity.xxx:xxx`}, interval:1m
| filter (arrayLast(myseries) == 4)

filters in only the timeseries whose latest sample is 4, but the anomaly detector still evaluates the returned 1-minute samples in the series, not just that single last value. So with a threshold like < 100, you would effectively mark all returned points as violating, which means the alert logic is no longer really “status equals 4”, but rather “this series passed the filter and its samples are below 100”. That can be misleading. 

A better approach is to transform the status into a dedicated numeric signal, for example:

  • 100 when status = 4
  • 0 otherwise

and then alert on above 50 or similar. That way the anomaly detector evaluates an explicit signal instead of relying on record filtering

Reply

Go to solution
henk_stobbe
DynaMight Leader
DynaMight Leader

‎16 Mar 2026 11:02 AM

Thanks for your replay, simulation at my end  looks perfect. myseries is already a 1m avg?

 
 

image.png

 

Am I missing something?

 

KR Henk

0 Kudos
Reply

Go to solution
t_pawlak
Leader
In response to henk_stobbe

‎16 Mar 2026 11:08 AM

yes, in your query myseries is already a 1-minute averaged time series, because avg(...) with interval:1m creates one average value per 1-minute bucket.
So filter(arrayLast(myseries) == -1) checks whether the latest 1-minute bucket is -1, and if yes, the series remains in the result.
So from that perspective, your simulation result makes sense.
The only caveat is that alert behavior still depends on the anomaly detector window/dealerting/missing-data logic, because Davis evaluates the returned 1-minute series format

Reply
Ask a question

Featured Posts