Trace Processors

George Alpizar
George Alpizar
  • Updated

Overview

This processor is useful to track events that have a unique ID, as well as clear start and end logs. 

  • IDs are typically dynamic fields, such as transaction IDs, trace ID, etc.

Each event's duration is tracked, and the average time (minimum and maximum) are emitted as metrics. 

Anomalies are detected based on the average event duration, based on the history of average durations.


Review Sample Configuration

Review the following sample configuration: 

traces:
  - name: render-trace
    start_pattern: "rendering job: (?P<ID>[0-9a-fA-F]{8}) started"
    finish_pattern: "rendering job: (?P<ID>[0-9a-fA-F]{8}) finished"
    trigger_thresholds:
      max_duration: 50000 # 50 seconds

Review Parameters

Review the following parameters that you can configure in the Edge Delta App.


name

Required

Enter a descriptive label for this processor. 

When you create a workflow, you will use this label to enter your processor into the workflow.

Review the following example:

name: login-trace

start_pattern

Required

Enter a regular expression to match patterns in a string for a successful event.

Review the following example: 

start_pattern: "user (?P<ID>[0-9a-fA-F]{8}) logged in"

finish_pattern

Required

Enter a regular expression to match patterns in a string for a failed event.

Review the following example: 

finish_pattern: "user (?P<ID>[0-9a-fA-F]{8}) logged out"

interval

Optional

This parameter is a golang duration string that represents the reporting (or rollup) interval for the generated statistics.

The default value is 1m.

Review the following example: 

interval: 2m

retention

Optional

This parameter is a golang duration string that represents how far back the agent should look when generating anomaly scores.

The default value is 3h.

Review the following example: 

retention: 4h

trigger_thresholds

Optional

This parameter defines threshold limits, based on calculated metrics.

When a threshold is reached, the agent notifies the corresponding trigger destinations in the same workflow.

You can configure the following trigger threshold types:

  • max_duration
  • anomaly_probability_percentage
  • upper_limit_per_interval
  • lower_limit_per_interval
  • consecutive

Review the following example: 

trigger_thresholds: 
anomaly_probability_percentage: 90
upper_limit_per_interval: 250
consecutive: 5

max_duration (trigger_thresholds)

Optional

Enter the maximum amount of time that an event is allowed to complete. 

If an event does not complete within this duration, then a trigger is generated.

Review the following example: 

trigger_thresholds:
  max_duration: 50000 

anomaly_probability_percentage (trigger_thresholds)

Optional

This parameter sets the confidence level / probability of an anomaly that needs to be reached to trigger an alert. 

For example, if you enter 90, then an alert will trigger when there is a 90% probability that the detected pattern is an anomaly. 

Enter a number between 0 and 100.

There is no default value. 

Review the following example: 

trigger_thresholds: 
anomaly_probability_percentage: 90

upper_limit_per_interval (trigger_thresholds)

Optional

This parameter sets a static threshold to trigger an alert.  

If the number of events that match the given pattern for the most recent reporting interval is greater than the limit, then an alert will be triggered.

There is no default value. 

Review the following example:  

trigger_thresholds: 
upper_limit_per_interval: 250

lower_limit_per_interval (trigger_thresholds)

Optional 

This parameter sets a static threshold to trigger an alert.

If the number of events that match the given pattern for the most recent reporting interval is less than the limit, then an alert will trigger.

There is no default value. 

Review the following example: 

trigger_thresholds: 
lower_limit_per_interval: 10

consecutive (trigger_thresholds)

Optional

This parameter sets how many consecutive times a threshold must be exceeded to trigger an alert.  

The default value is 0, which means that any condition that is met will trigger an alert. 

Review the following example:

trigger_thresholds: 
consecutive: 5

filters

Optional

Enter an existing filter to add to this processor. 

To learn how to create a filter, see Filters.

Review the following example: 

filters:
- extract_severity

 


 

Share this document