This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
DQL
Questions about Dynatrace Query Language
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Dynatrace Community
- Ask
- DQL
- Dynatrace alert created by Davis Anomaly Detection is not triggering with the given DQL
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Pin this Topic for Current User
- Printer Friendly Page
Dynatrace alert created by Davis Anomaly Detection is not triggering with the given DQL
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
10 Jun 2026
04:25 PM
- last edited on
12 Jun 2026
11:55 AM
by
MaciejNeumann
PROBLEM STATEMENT:-
I m using the below query for creating an alert using davis anomaly detetcor, my alert configs are:-
threshold: 2
sliding window - 5
violating samples - 1
dealerting samples - 3
So this is showing correct data in notebook but davis alert not triggering,
can someone HELPPPPPPPPPPPPPPPPP?
DQL:-
timeseries cpu = avg(process.cpu.time),
by: { `host.name`, `process.executable.name` },
filter: startsWith(`host.name`, "t")
and in(`process.executable.name`,
{"process_1", "process_2", "process_3", "process_4", "process_5"})
| fieldsAdd avg_cpu = arrayAvg(cpu)
| fieldsAdd proc_status = if(isNotNull(avg_cpu) and avg_cpu > 0, "UP", else: "DOWN")
| summarize {
process_1_status = takeAny(if(`process.executable.name` == "process_1", proc_status)),
process_2_status = takeAny(if(`process.executable.name` == "process_2", proc_status)),
process_3_status = takeAny(if(`process.executable.name` == "process_3", proc_status)),
process_4_status = takeAny(if(`process.executable.name` == "process_4", proc_status)),
process_5_status = takeAny(if(`process.executable.name` == "process_5", proc_status))
}, by: { `host.name` }
| fieldsAdd
process_1_status = coalesce(process_1_status, "DOWN"),
process_2_status = coalesce(process_2_status, "DOWN"),
process_3_status = coalesce(process_3_status, "DOWN"),
process_4_status = coalesce(process_4_status, "DOWN"),
process_5_status = coalesce(process_5_status, "DOWN")
| fieldsAdd process_status = concat(
"process_1 (description 1): ", process_1_status,
" | process_2 (description 2): ", process_2_status,
" | process_3 (description 3): ", process_3_status,
" | process_4 (description 4): ", process_4_status,
" | process_5 (description 5): ", process_5_status
)
| fieldsAdd terminal_availability = if(
process_1_status == "DOWN"
or process_2_status == "DOWN"
or process_3_status == "DOWN"
or process_4_status == "DOWN"
or process_5_status == "DOWN",
0,
else: 1
)
| fieldsAdd terminal_status = if(terminal_availability == 0, "TERMINAL_DOWN", else: "TERMINAL_UP")
| fieldsAdd hostName = `host.name`, timestamp = now()
| makeTimeseries terminal_availability = avg(terminal_availability),
by: { hostName, process_status, terminal_status },
time: timestamp,
interval: 1m
Labels:
- Labels:
-
anomaly detection
-
dql
3 REPLIES 3
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
10 Jun 2026 11:09 PM
Hi @ravi_singh
The issue is a mismatch between your output values and threshold configuration.
The Root Cause
Your final makeTimeseries produces terminal_availability = avg(terminal_availability) which can only ever output 0 or 1:
terminal_availability = if(
process_1_status == "DOWN"
or process_2_status == "DOWN"
...
0,
else: 1
)
But your threshold is set to 2.
Since your metric never reaches 2 (max is 1), the threshold is never breached — so alert never fires.
Set your threshold to 1 with the condition "below" (alert when terminal_availability < 1). When any process goes DOWN, the value drops to 0, crosses below your threshold, and alert fires.
Thanks,
Sujit
Dynatrace Professional Certified
Reply
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
11 Jun 2026 01:16 PM
Hi sujeet , actually i have put the threhold for testing pupose as all processes were up
so termina_avaiability = 1 < 2 (threshold), so it can trigger the alert, forgot to mention this earlier, thanks for your response.
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
12 Jun 2026 01:10 AM
Hi @ravi_singh
Thanks for clarifying — that makes sense. If you're using a "below" condition with threshold 2, then the value of 1 should indeed breach it.
In that case, the issue could be your time: timestamp field in the final makeTimeseries:
| fieldsAdd hostName = `host.name`, timestamp = now()
Using timestamp = now() forces all data into a single timestamp rather than producing a continuous time-series
Try this: Remove the timestamp = now() and also drop process_status and terminal_status from the by: clause — those string fields create unnecessary dimension explosion.
| makeTimeseries terminal_availability = avg(terminal_availability),
by: { hostName },
interval: 1m
Let me know if it works or seeing any issue.
Thanks,
Sujit
Dynatrace Professional Certified
Featured Posts
