In short there are two parts to Morgoth. 1. A system that counts the frequency of different kinds of events. This is the lossy counting part 2. A system that determines if a window of data is the same as an existing event being tracked or something new. This is the fingerprinting part.
Here is a quick read through for those concepts http://docs.morgoth.io/docs/detection_framework/ Its a little hard to tell if Morgoth has done anything unexpected without more detail. Can you share some of the data that lead to this alert, so I can talk to the specifics of what is going on? Or maybe you could ask a more specific question about which part is confusing? On Thursday, October 27, 2016 at 6:47:02 AM UTC-6, [email protected] wrote: > > Hi All, > > I am trying to run morgoth as a child process to kapacitor, but I am > failing understand how morgoth functions. Below is the sample tick script I > tried out of the Morgoth docs. This is generating some alerts but I am > unable to figure out if they are suppose to get triggered way they have. > Pasting a snippet out of alert as well. > > I basically want to understand the functioning of Morgoth through this > example. > > Alert > =================================================================== > > { > "id":"cpu:cpu=cpu-total,host=ip-10-121-48-24.ec2.internal,", > "message":"cpu:cpu=cpu-total,host=ip-10-121-48-24.ec2.internal, is > CRITICAL", > "details":"", > "time":"2016-10-27T11:33:00Z", > "duration":21780000000000, > "level":"CRITICAL", > "data":{ > "series":[ > { > "name":"cpu", > "tags":{ > "cpu":"cpu-total", > "host":"ip-10-121-48-24.ec2.internal" > }, > "columns":[ > "time", > "anomalyScore", > "usage_guest", > "usage_guest_nice", > "usage_idle", > "usage_iowait", > "usage_irq", > "usage_nice", > "usage_softirq", > "usage_steal", > "usage_system", > "usage_user" > ], > "values":[ > [ > "2016-10-27T11:33:00Z", > 0.9897172236503856, > 0, > 0, > 99.49748743708487, > 0, > 0, > 0, > 0, > 0, > 0.5025125628122904, > 0 > ] > > =================================================================== > // The measurement to analyze > var measurement = 'cpu' > > // Optional group by dimensions > var groups = [*] > > // Optional where filter > var whereFilter = lambda: TRUE > > // The amount of data to window at once > var window = 1m > > // The field to process > var field = 'usage_idle' > > // The name for the anomaly score field > var scoreField = 'anomalyScore' > > // The minimum support > var minSupport = 0.05 > > // The error tolerance > var errorTolerance = 0.01 > > // The consensus > var consensus = 0.5 > > // Number of sigmas allowed for normal window deviation > var sigmas = 3.0 > > stream > // Select the data we want > |from() > .measurement(measurement) > .groupBy(groups) > .where(whereFilter) > // Window the data for a certain amount of time > |window() > .period(window) > .every(window) > .align() > // Send each window to Morgoth > @morgoth() > .field(field) > .scoreField(scoreField) > .minSupport(minSupport) > .errorTolerance(errorTolerance) > .consensus(consensus) > // Configure a single Sigma fingerprinter > .sigma(sigmas) > // Morgoth returns any anomalous windows > |alert() > .details('') > .crit(lamda: TRUE) > .log('/tmp/cpu_alert.log') > > -- Remember to include the version number! --- You received this message because you are subscribed to the Google Groups "InfluxData" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/group/influxdb. To view this discussion on the web visit https://groups.google.com/d/msgid/influxdb/d14e47e6-2760-47dc-93cb-2fee43c166d1%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
