Investigating Anomalies

The usual sequence in investigating an anomaly is as follows:

  1. You probably received an alert notification. You either click Investigate in the notification or you choose the Triage from the alert console. Working with Triage is described here.
  2. If you chose to do a 'deep investigation' of the alert, it will open the investigation page.
  3. The Anomap and chart for the specific anomaly opens together with other metrics that are in the same anomalies group.
  4. Zoom in on the anomaly spike and the surrounding periods to see if any metrics might indicate the beginning of the problem. You can sort by Start time, Significance or Delta to view the group by the metrics that became anomalous first.
    Note: To Zoom in place the cursor to one side of an anomaly spike and while holding the left mouse button down, drag the cursor to the other side of the spike
  5. In the expression box, create an investigative expression using the same method as for building the metric. See Metric Expressions.
  6. Using a combination of the filters and property/value expressions, eliminate suspected metrics until the root cause is discovered.
  7. Go to the Anoboard and set the time filter to the time around the start time of the alert, and see if there are other anomalies groups that help isolate the cause of the anomaly in the alert you received.

TO INVESTIGATE AN ANOMALY DIRECTLY FROM THE ANOBOARD PAGE

  1. Select an Anomalies dashboard.
  2. Click Investigate in the Anomalies chart that you want to investigate. A new tabbed page is created display the selected Anomaly, or group of Anomalies and their corresponding Anomaps.
    Note:
    anomaly_type_icon_Investigate.ico Denotes a Transient anomaly type
    pattern_change_icon.ico Denotes a Pattern Change anomaly type
    Investigating_Anomaly_icon01.png

    When investigating an issue, you can open multiple anomalies and easily switch between them by clicking the tabs.

  3. To change the properties displayed on the Anomap, hover over the property, a Hide property from Anomap button is display. Click it. The property is hidden from all the Anomaps. The next most relevant property is displayed.
    Note To display the default  Anomap, click RESET ANOMAP.  
  4. In the chart, trace the anomaly with the cursor. The date and time of the anomaly, the severity color code, and the severity rating appear at every point along the anomaly chart spike.
  5. To copy the metric name to the clipboard, hover over the heading with the metric description, a Copy key is display. Click Copy, a message is displayed Copied to Clipboard.
  6. To re-sort the anomaly charts, open the Sort drop-down menu.  Anomaly charts can be sorted by Start dateSignificance or Delta.
  7. Continue investigating metrics until you can determine a root cause, or search other anomalies groups to detect a root cause.