Re: alerting site wise

O11y_Noob · ‎17 Nov 2025

timeseries v = avg(unexpecteddowntime), by: {site, unit}
| summarize {
site_series = avg(v[]), 
units = collectDistinct(unit) 
}, by: {site, timeframe, interval} 
| filter arrayMax(site_series) > 30 
| fieldsAdd units_str = toString(units)

Using this in Davis Anamoly for creating alerts site wise , and having {dims:units} in the description but the problem is closing and opening a new instance whenever there is change in the {dims:units} , i only want to close the alert {dims:units} is 0

t_pawlak · ‎17 Nov 2025

Hi,
If you are using this query, and in the Davis Anomaly metric event you’re using something like {dims:units} in the description. In Dynatrace, whenever a dimension (anything referenced via {dims:...}) changes, Davis treats it as a new problem instance.
So when the list of units changes even slightly: Old problem is closed and New problem is opened

That’s why you see constant open/close cycles.

If I correctly understand, you want to open one problem per site.

So, do not use {dims:units} anywhere (especially in description).
That makes units part of the problem key.

Use units only as a field, not a dimension.

Drive open/close behaviour via DQL:

Alert only when units_count > 0
Problem auto-closes when units_count = 0

Try this:

timeseries v = avg(unexpecteddowntime), by: {site, unit}
| summarize {
    site_series = avg(v[]),
    units = collectDistinct(unit),
    units_count = countDistinct(unit)
  }, by: {site, timeframe, interval}
| filter arrayMax(site_series) > 30
| filter units_count > 0
| fieldsAdd units_str = toString(units)

units_count > 0 → only then the metric event is evaluated as violating

When units_count becomes 0, the violation stops → Davis will close the problem

Then in metric event use site as a dimension, like this:

Site: {dims:site}
Affected units: {fields.units_str}

patryk_ozimek2 · ‎18 Nov 2025

Hi,

I don't see such thing as "fields" in the doc (https://docs.dynatrace.com/docs/shortlink/anomaly-detection-configuration#event-template) - I also tried to use it in my Davis Anomaly Detector but results were the same like for @O11y_Noob

Can you please give the source from which you got this info?

Best Regards,
Patryk

O11y_Noob · ‎17 Nov 2025

the filter that you see in the problem is not part of my query but its getting added and the reffered fields.unit_Str is not getting the field value referred , could you pls help here @t_pawlak

t_pawlak · ‎18 Nov 2025

Hi,
It looks like the additional filter (...) you see in the problem view is not coming from your DQL. Davis automatically adds a filter for the concrete time-series that triggered the event (based on the dimensions/placeholders used in the metric event).

Also, my previous suggestion with {fields.units_str} was misleading – fields.* placeholders are not supported in the event template, which is why you don’t see the value there.

In practice this means that if you reference units / units_str in the title/description, Davis will “pin” the problem to that exact value and will open/close a new problem every time the list of units changes. To have one problem per site, keep units only inside DQL (for filtering/logic) and use only {dims:site} (and standard placeholders like {value}) in the event template.

O11y_Noob · ‎18 Nov 2025

the team wants to see the unit names in the problem ticket , how can i include it in the problem ?