This topic describes how to observe time series data in multiple dimensions and how to label alerts for an intelligent inspection task. The intelligent inspection feature of Log Service supports the automated, intelligent, and adaptive inspection of exceptions in log data.

Prerequisites

  • Time series data of elastic IP addresses (EIPs) is ingested into the source Logstore named eip-log. For more information, see Data collection overview.
  • Indexes are configured for the source Logstore. For more information, see Configure indexes.

Background information

The intelligent inspection feature can be used to observe time series data. You can ingest time series data into Log Service in the Log Service console or by using the Log Service SDK. The time series data must include the following parameters:
  • Time: By default, the time information is carried in the __time__ field. We recommend that you specify the same observation granularity for each metric. For example, you can configure an intelligent inspection task to collect one sample for each metric every minute.
  • Entity: The entity that you observe is identified based on one or more fields.
  • Feature: The metric that you observe. You can specify a value range for the metric. If you want to observe the specified entity in multiple dimensions, you must specify at least two metrics.
Notice You must create indexes for the preceding time, entity, and feature items.

After you obtain a copy of multidimensional time series data, you can follow the instructions provided in this topic to create an intelligent inspection task.

Example

Company A ingests the time series data of EIPs into Log Service and uses the intelligent inspection feature of Log Service to observe the number of inbound packets per second and the number of outbound packets per second. This requires Company A to set the Entity parameter to eip and specify two metrics, inpps and outpps, in the Feature parameter. If an EIP is abnormal, Log Service displays the trends of the two metrics in different dimensions and sends alerts to the O&M engineers in the specified DingTalk group. This way, the O&M engineers can handle the exceptions at the earliest opportunity.

The following figure shows sample time series data of EIPs.

Sample time series data of EIPs

Step 1: Create an intelligent inspection task

  1. Log on to the Log Service console.
  2. In the Projects section, click the name of the project that you want to view.
  3. In the left navigation sidebar, choose Jobs > Intelligent Inspection.
  4. In the Intelligent Inspection pane, click the plus icon.
  5. In the Basic Information step of the Create Intelligent Inspection Task wizard, configure the following parameters and click Next.
    Basic Information step of the Create Intelligent Inspection Task wizard
  6. In the Algorithm Configurations step of the Create Intelligent Inspection Task wizard, complete the following operations:
    1. In the Data Feature Settings section, set the Data Type parameter to Indexed Data. Then, configure the other parameters.
      Algorithm Configurations step of the Create Intelligent Inspection Task wizard
    2. In the Algorithm Configurations section, configure the following parameters, select an entity from the Data Sampling drop-down list, and then click Sample Data Preview to check whether the parameter settings are suitable for the source data and whether expected results can be obtained.
      Algorithm Configurations step of the Create Intelligent Inspection Task wizard
    3. In the Scheduling Settings section, specify the date and time at which you want to start the intelligent inspection task.
      Note After an intelligent inspection task is created, the task starts at the date and time that you specify.
    4. Click Next.
  7. In the Alert Configuration step of the Create Intelligent Inspection Task wizard, configure the following parameters and click Complete.
    For more information about how to obtain the webhook URL of a DingTalk group, see DingTalk-Custom.
    Alert Configuration step of the Create Intelligent Inspection Task wizard
    If the result.score of a sample for a metric exceeds 0.75, Log Service considers the metric abnormal and sends an alert to the specified DingTalk group.

Step 2: Label alerts

You can label each alert that you receive in the specified DingTalk group.

  • If the alert is positive, click Confirm.
  • If the alert is false, click False Positive.
The following figure shows a sample alert.SLS Anomaly Detection Alert