This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
FAQ
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

DQL for Anomaly Detector to compare multiple metrics and trigger alert

Go to solution
p_devulapalli
Leader

‎28 May 2025 03:38 AM

I am trying to trigger an alert using anomaly detector by looking at multiple metrics . As an example when dt.host.disk.avail is less than 100GB and dt.host.disk.free is less than 10%  . Both the condition should match to trigger a alert . I know anomaly detectors only support single metric, so  idea was to include a condition and set the threshold based on the condition value . Below is an example DQL

 

timeseries { availableDiskSpace = avg(dt.host.disk.avail),
diskUsed = avg(dt.host.disk.used),
diskFreePercent = avg(dt.host.disk.free)
},
by: { dt.entity.host, dt.entity.disk }, interval: 1m,

filter: { matchesValue(entityAttr(dt.entity.host, "entity.name"), { "HOST16"}) AND matchesValue(entityAttr(dt.entity.disk, "entity.name"), "X:\\") }

| fieldsAdd condition = if(arrayAvg(diskFreePercent) < 10 AND arrayAvg(availableDiskSpace) < 29770882367488, 1, else: 0)
| fieldsRemove availableDiskSpace, diskUsed, diskFreePercent

 

But the output is not really in a timeseries format so anomaly detector does not accept . 

I am looking for some ideas on how to best modify the DQL to suite my use case please

Phani Devulapalli
0 Kudos
Reply
2 REPLIES 2

Go to solution
marco_irmer
Champion

‎28 May 2025 01:40 PM

You can use an iterative expression, which uses square bracket notation ('[]'), to form a new timeseries array using conditional logic. The expression will iterate through each datapoint in the 'diskFreePercent' and 'availableDiskSpace' arrays and apply the logic to calculate whether the value of 'condition' should be 0 or 1 at each position. You can then use the 'condition' field in your anomaly detector.

The DQL would look something like this:

timeseries { availableDiskSpace = avg(dt.host.disk.avail),
diskUsed = avg(dt.host.disk.used),
diskFreePercent = avg(dt.host.disk.free)
},
by: { dt.entity.host, dt.entity.disk }, interval: 1m,

filter: { matchesValue(entityAttr(dt.entity.host, "entity.name"), { "HOST16"}) AND matchesValue(entityAttr(dt.entity.disk, "entity.name"), "X:\\") }

| fieldsAdd condition[] = if(diskFreePercent[] < 10 AND availableDiskSpace[] < 29770882367488, 1, else: 0)
| fieldsRemove availableDiskSpace, diskUsed, diskFreePercent

 I hope this helps 🙂

Reply

Go to solution
p_devulapalli
Leader
In response to marco_irmer

‎28 May 2025 11:01 PM

Thank you for the tip @marco_irmer , that helped 

Phani Devulapalli
0 Kudos
Reply
Ask a question

Featured Posts