Versions Compared

Old Version 7

changes.mady.by.user Patrice Neff

Saved on

compared with

New Version Current

changes.mady.by.user Nathan Gosse

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Excerpt

This reference section discusses the details for the Squirro Trend Detection functionality.

 For an easy introduction reference the Trend Detection Tutorial instead.

Table of Contents

Table of Contents
outlinetrue
excludeTable of Contents

User Interface

Trend Detection is exposed in the user interface in two areas: creating of a trend detection alert and visualizing through the Trend Detection widget.

The user interface does not allow managing or deleting the trend detection entities yet.

For more information on the Trend Detection dashboard widget consult the widgets reference documentation.

API

Trend Detection is fully accessible through the API. The full reference documentation can be found in Trend Detections.

The Python SDK also contains methods for every Trend Detection API endpoint. See SquirroClient Entities for details.

Configuration

A number of configuration options can be provided when creating a trend detection entity. The more complex of those options are explained here.

Aggregation Field

This optional configuration allows analysis on any numerical facet in a project. For an example on how to use this, follow the tutorial scenario 2.

Aggregation Interval

This determines the time buckets into which the data is fitted. A anomaly is detected, as soon as a time bucket's value is bigger than the predicted trend for this bucket. The bigger the time bucket, the less impact one individual data point has.

Take as an example the analysis of the number of incidents in the system and alerting on that. If the interval is set to daily, a small spike at 9am followed by less incidents than usual around noon would not trigger an anomaly, because the data evens out over the whole day. But using an hour or minute interval would probably pick up that spike and alert on it.

As a result, the interval to use in a project depends largely on how quickly you need to find anomalies and how much potential noise you are willing to accept.

In the API, the format of the interval is "<number><unit>" - for example "1d" for a daily interval. The number can be left away, so "day" is the same as specifying "1day".

The following units are allowed:

...

Aggregation Method

The aggregation method is used together with the aggregation interval. When more than one data point falls withing a time bucket, those points are summarized using the aggregation method.

Valid aggregation methods are:

...

This page can now be found at Trend Detection on the Squirro Docs site.