SLS Intelligent Anomaly Analysis - architecture benefits limits - Simple Log Service

Intelligent Anomaly Analysis is a highly available and scalable SLS application that provides intelligent health check, text analytics, and root cause analysis.

Important

Starting July 15, 2025 (UTC+8), the intelligent anomaly analysis feature will no longer be available to new users. Existing users can continue to use it.

Scope of impact

The following core features will be unpublished: intelligent health check, text analytics, and time series forecasting.
Feature Migration Solutions

The machine learning syntax, scheduled query and analysis (scheduled SQL), and dashboard features of SLS can fully replace the unpublished features.

Service architecture

Intelligent Anomaly Analysis applies machine learning to metrics, logs, and service relationships in O&M scenarios. It generates anomalous events and correlates time series data with events through service topologies, reducing O&M complexity and improving service quality.

Key components:

Logstore: SLS provides Logstores to store log data. Query and analyze logs using SQL-92 syntax. Overview of log query and analysis.
Metricstore: SLS provides Metricstores to store time series data. Analyze metrics using SQL-92 or PromQL syntax. Syntax for querying and analyzing metric data.
Machine learning algorithms: SLS provides scenario-specific algorithms for time series and text data to generate anomaly data. Intelligent health check algorithms and Text analytics algorithms.
Alerting: Generate alerts for anomaly results. What is the alerting feature of Simple Log Service?.

Benefits

Detects anomalies across numerous entity metrics with minimal configuration—no specific alert rules required.
Analyzes unstructured text logs to automatically discover abnormal patterns.
Supports annotation of algorithm results to improve model accuracy over time.
99.9% alerting availability, built on SLS high availability and data reliability.
Deep integration with the SLS alerting feature for a seamless experience.

Scenarios

Recommended scenarios:

You need to observe many objects across multiple dimensions.
Metric curves lack clear threshold rules.
Managing many monitoring rules manually is impractical.
You need to mine text logs for patterns while processing unstructured log data.
Your trace scenario has a defined service topology.
You have a custom service topology.

Terms

Basic Concepts	Description
Time series	Metric values recorded at equal intervals with UNIX timestamps. Required as input for health check algorithms.
Entity	An observed object in an intelligent health check task. For example, an entity for a service on a machine is described as `"192.0.2.0": machine IP address, "80": service port number`. You can uniquely identify the entity using the machine IP address and service port number.
Golden metric	A metric that accurately describes the quality of a service or the stability of an observed entity. Examples: To describe the request quality of a domain name, the corresponding golden metrics are the average response latency per minute, the number of requests per minute, the number of failed requests per minute, and the amount of write traffic per minute. To describe the status of a machine, the corresponding golden metrics are the CPU utilization in user mode per minute, the CPU utilization in kernel mode per minute, the size of resident memory per minute, the number of disk I/Os per minute, and the average system load per minute. To describe the status of an OSS bucket, the corresponding golden metrics are the number of write operations in the bucket per minute, the number of read operations in the bucket per minute, and the amount of write traffic in the bucket per minute.
Anomaly type	Seven built-in anomaly types help you filter for points of interest. Intelligent health check anomaly types and Text analytics anomaly types.
Normalization method	Converts dimensional expressions into dimensionless scalars to improve anomaly detection effectiveness.
Filtering method	Removes signals of specific frequency bands to suppress interference. Produces smoother curves for more effective anomaly detection.
Annotate	Label health check results as feedback to the anomaly analysis system.
False positive	When the model reports an anomaly that you believe is incorrect, label it as a false positive. The system uses this feedback for model retraining.
False negative	When the model misses an anomaly, manually label any data point to report the missed detection.
Pattern extraction	Extracts patterns from text to describe a class of similar text.
Clustering	Groups similar objects into clusters. Objects within a cluster are similar to each other and dissimilar from objects in other clusters.
Unsupervised	Pattern recognition using unlabeled training samples.
Supervised	Infers a function or model from labeled training data.
Log constant	Logs are often generated by `logging` or `print` statements in a program. For example, the log `connect mysql server, latency 212ms` might be generated by the log output statement `logging.info("connect mysql server, latency %dms")`. The part that is included every time the log output statement is executed is called a log constant, such as `connect mysql server, latency ms`.
Log variable	Logs are often generated by `logging` or `print` statements in a program. For example, the log `connect mysql server, latency 212ms` might be generated by the log output statement `logging.info("connect mysql server, latency %dms")`. The part that changes every time the log output statement is executed is called a log variable, such as the number `212` in this example.
Log template	Text that consists of the constant part of a log and wildcard characters for the variable part is called a log template. For example, the template for the `connect mysql server, latency 212ms` log is `connect mysql server, latency ms`. The asterisk () wildcard character replaces the numeric variable `212`. You can select a wildcard character based on the variable type. For example, you can use `NUM` to represent a numeric variable. The log template is then `connect mysql server, latency NUMms`.
Log class	Each log class includes a log template that represents the class. If the log content matches the log template, the log is considered to belong to that log class.

Limits

Job type	Limitations	Description
Intelligent health check	Scale of check entities	A single task supports a maximum of 10,000 check entities. To increase this limit, submit a ticket to make a request.
	Granularity of check time series	The curve of a single entity must be equally spaced and continuous. In SQL scenarios, the minimum supported granularity is minute. For finer granularity, submit a ticket to make a request.
	Notification of anomaly results	Currently, only the DingTalk Robot notification channel supports feedback labeling for anomaly results. For other notification channels, submit a ticket to make a request.
Text analytics	Scale of text fields	Maximum five text fields per task.
Text analytics	Scale of general field templates	Maximum six general templates per task.

Billing

The intelligent health check application is in public preview and free of charge.