Trend-based alerting using the EWMA algorithm

Trend-based alerting using the EWMA algorithm

While configuring AppLogs alerts, you have to choose if your alert should be count-based or trend-based. For trend-based alerts, to calculate the average values, Site24x7 uses the Exponentially Weighted Moving Average (EWMA) algorithm to identify abnormal spikes and changes in the log trend.

What is the EWMA algorithm?

The EWMA refers to an average of data that is used to track the movement of the value by checking the results and output. It considers different factors, assigns a weight to the value, tracks results to evaluate performance, and recommends improvements.

The weight for an EWMA is reduced exponentially as it is further removed over time. Also, since the EWMA contains the previously calculated average, the result of the EWMA will be cumulative. Because of this, all the data points will be contributing to the result, but the contribution factor will be reduced in the next period in which the EWMA is calculated.

The moving average EWMA for a given time t is calculated as follows:
EWMA(t) = a * x(t) + (1-a) * EWMA(t-1)

Here,
EWMA(t) = moving average at time t.
a = degree of mixing parameter value between 0 and 1. This parameter shows the rate at which the older data will come into calculation.
x(t) = value of an alert query output at time t.

If a=1, only the most recent data has been used to measure the EWMA. 
If a is nearing 0, then more weightage is given to older data.
If a is nearing 1, then more weightage is given to newer data.

Use case: IIS access logs

Let's consider the use case of Internet Information Services (IIS) access logs with a 500 status code error. In this case, when trend-based alerts are configured with a check frequency of one hour, the trend will be observed for the configured number of days, and you'll receive alerts based on the moving average value if there is a sudden increase in the exception count.

For example, let us consider the exception count for every hour as shown below:
a = 0.3 (Site24x7 fixes the value of a as 0.3 since it gives weightage to older data) 
Time (t)
Value at t
EWMA
Percentage growth
10am
27
27
0
11am
30
27.9
11.11
Noon
40
31.53
43.37
1pm
55
38.57
74.44
2pm
453
162.9
1074.49
3pm
105
145.53
-35.54

If you have configured a trend-based alert for your log search queries, to receive a notification when a 100 percent threshold is reached, you will receive an alert when the current exception count value growth is >100 percent when compared to the previous EWMA value.  

Percentage Growth = (t -old EWMA)/old EWMA * 100
Here, at 2pm,
Percentage growth= (453-38.57)/38.57*100 = 1074.48 %

In this case, you will receive the alert at 2pm since the exception count growth has increased to 1074 percent when compared to the previous EWMA value of 38.57. 


    • Related Articles

    • Monitor and validate DNS IP changes using regex

      DNS administrators often monitor their DNS servers to detect changes in domain resolution and ensure IP mappings remain secure and accurate. Problem When your organization adds or modifies an IP address for your domain name, it’s critical to: Be ...
    • How do I check if URL redirection works correctly using the Website Monitor?

      A webpage can be made available from more than a single web address using URL redirection. Most redirects are automated and it becomes difficult to track if the redirection works in a specific way. This can be verified using website monitoring in ...
    • Troubleshooting false positive alerts in monitoring

      Problem False positive alerts are being generated. Possible cause The monitoring system is down in some locations. The Website monitor might be configured for one location, such as Seattle, but may appear down when accessed from another location, ...
    • Validating sender email using DKIM authentication

      What is DKIM? DomainKeys Identified Mail (DKIM) is an advanced authentication method used widely by email service providers to verify the email from the point of its origin by validating the email sender. It allows the email senders to authenticate ...
    • Exclude the selective SSH algorithms in On-Premise Poller during SFTP Transfer monitoring

      By excluding SSH algorithms, you can restrict Site24x7 SSH Client from using the excluded algorithm while connecting to the SSH server during SFTP Transfer monitoring. Follow the steps mentioned below for SSH algorithm exclusion in On-Premise Poller ...