Learning status flag

[
  {
    "severity": "severe",
    "severity_num": 3,
    "nodes_affected": 3,
    "metrics_affected": 29,
    "event_type": "updated",
    "id": "67766ea89a79cb09b34db8c9",
    "event_occured": "2025-01-02T10:54:00Z",
    "alert_status": 0.1724137931034483,

Above is an example of a top section of an anomaly alert. Below, the “alert_status” is explained.

The more data Eyer observes, the most trustworthy the alerts become. For this reason we decided to introduce a multilevel flag that gives an indication on how confident one can be in an alert. The flag is calculated individually for every single time series/metric and it is propagated at the level of the alert as the mean of all the flags of the metrics involved in the alert. The same flag is also returned by the node API., with at the level of each metric and aggregated by the node.

Learning status on single metric:

0 - LEARNED Eyer has seen a very good amount of data and the alerts can be trusted.

1 - CONSOLIDATING Eyer has seen enough data to start to form reliable alerts, but there is still space for improvements.

2 - UNDER LEARNING Eyer has seen enough data to start forming the baselines but the alerts might still be affected by noise, false alerts and missed alerts are frequent. Eyer keeps learning to improve the anomaly detection.

3 - NOT ELIGIBLE Eyer has seen no or too few data to form baseline. Anomaly detection is disabled. These metrics are not included in alerts but a list of those can be retrieved via Eyer’s node API.

What does it mean enough data? How much is enough data will vary metric by metric, based on the specific behaviour of the metric. How much data is enough is determined with respect to the frequency at which data are delivered and how often the value of the metric changes. Metrics that are delivering data often (as often as 1 or more data every five minutes) and at a constant frequency will process to a good learning status the fastest. Metrics that have often changes in frequency will take more time to be learned. Metric that have a constant value or seldom changes in value can be learn faster than metric that change value often. For this reason two metrics that deliver data at exactly the same frequency but one has almost a constant behaviour and one has many variation in value can have different learning status, with the one almost constant having progressing faster to a good learning status.

For the first few weeks all the metrics and the alerts will have flag 2 or 3, then most of the metrics should escalate to 1 and 0. Our recommendation to filter out noisy alerts is to focus on alerts with learning status flag <= 1.