alerting with time series
play

Alerting with Time Series Fabian Reinartz, CoreOS github.com/fabxc - PowerPoint PPT Presentation

Oct 14, 2023 •161 likes •714 views

Alerting with Time Series Fabian Reinartz, CoreOS github.com/fabxc @fabxc Time Series Stream of <timestamp, value> pairs associated with an identifier

  1. Alerting with Time Series Fabian Reinartz, CoreOS github.com/fabxc @fabxc

  2. Time Series Stream of <timestamp, value> pairs associated with an identifier http_requests_total{job="nginx",instance="1.2.3.4:80",path="/status",status="200"} 1348 @ 1480502384 1899 @ 1480502389 2023 @ 1480502394 http_requests_total{job="nginx",instance="1.2.3.1:80",path="/settings",status="201"} http_requests_total{job="nginx",instance="1.2.3.5:80",path="/",status="500"} ...

  3. Time Series Stream of <timestamp, value> pairs associated with an identifier sum by(path,status) (rate(http_requests_total{job="nginx"}[5m])) {path="/status",status="200"} 32.13 @ 1480502384 {path="/status",status="500"} 19.133 @ 1480502394 {path="/profile",status="200"} 44.52 @ 1480502389

  4. Service Discovery Targets (Kubernetes, AWS, Consul, custom...) Grafana Prometheus HTTP API UI

  5. A lot of traffic to monitor Monitoring traffic should not be proportional to user traffic

  6. A lot of targets to monitor A single host can run hundreds of machines/procs/containers/...

  7. Targets constantly change Deployments, scaling up, scaling down, rolling-updates

  8. Need a fleet-wide view What’s my 99th percentile request latency across all frontends?

  9. Drill-down for investigation Which pod/node/... has turned unhealthy? How and why?

  10. Monitor all levels, with the same system Query and correlate metrics across the stack

  11. Translate that to Meaningful Alerting

  12. Machine Learning Anomaly Detection Automated Alert Correlation g n l i a e H - f l e S

  13. Anomaly Detection If you are actually monitoring at scale, something will always correlate . Huge efforts to eliminate huge number of false positives. Huge chance to introduce false negatives.

  14. Prometheus Alerts != = current state desired state alerts

  15. Symptom-based pages Urgent issues – Does it hurt your user? dependency system dependency user dependency dependency

  16. Latency Four Golden Signals dependency system dependency user dependency dependency

  17. Traffic Four Golden Signals dependency system dependency user dependency dependency

  18. Errors Four Golden Signals dependency system dependency user dependency dependency

  19. Cause-based warnings Helpful context, non-urgent problems dependency system dependency user dependency dependency

  20. Saturation / Capacity Four Golden Signals dependency system dependency user dependency dependency

  21. Prometheus Alerts ALERT <alert name> IF <PromQL vector expression> FOR <duration> LABELS { ... } ANNOTATIONS { ... } Each result entry is one alert: <elem1> <val1> <elem2> <val2> <elem3> <val3> ...

  22. etcd_has_leader{job="etcd", instance="A"} 0 etcd_has_leader{job="etcd", instance="B"} 0 etcd_has_leader{job="etcd", instance="C"} 1

  23. Prometheus Alerts ALERT EtcdNoLeader IF etcd_has_leader == 0 FOR 1m {job=”etcd”,instance=”A”} 0.0 LABELS { {job=”etcd”,instance=”B”} 0.0 severity=”page” } {job=”etcd”,alertname=”EtcdNoLeader”,severity=”page”,instance=”A”} {job=”etcd”,alertname=”EtcdNoLeader”,severity=”page”,instance=”B”}

  24. requests_total{instance="web-1", path="/index", method="GET"} 8913435 requests_total{instance="web-1", path="/index", method="POST"} 34845 requests_total{instance="web-3", path="/api/profile", method="GET"} 654118 requests_total{instance="web-2", path="/api/profile", method="GET"} 774540 … request_errors_total{instance="web-1", path="/index", method="GET"} 84513 request_errors_total{instance="web-1", path="/index", method="POST"} 434 request_errors_total{instance="web-3", path="/api/profile", method="GET"} 6562 request_errors_total{instance="web-2", path="/api/profile", method="GET"} 3571 …

  25. ALERT HighErrorRate IF sum(rate(request_errors_total[5m])) > 500 {} 534

  26. ALERT HighErrorRate IF sum(rate(request_errors_total[5m])) > 500 {} 534 W R O N G Absolute threshold alerting rule needs constant tuning as traffic changes

  27. ALERT HighErrorRate IF sum(rate(request_errors_total[5m])) > 500 {} 534 traffic changes over days

  28. ALERT HighErrorRate IF sum(rate(request_errors_total[5m])) > 500 {} 534 traffic changes over months

  29. ALERT HighErrorRate IF sum(rate(request_errors_total[5m])) > 500 {} 534 traffic when you release awesome feature X

  30. ALERT HighErrorRate IF sum(rate(request_errors_total[5m])) / sum(rate(requests_total[5m])) > 0.01 {} 1.8354

  31. ALERT HighErrorRate IF sum(rate(request_errors_total[5m])) / sum(rate(requests_total[5m])) > 0.01 {} 1.8354

  32. ALERT HighErrorRate IF sum(rate(request_errors_total[5m])) / sum(rate(requests_total[5m])) > 0.01 {} 1.8354 WRONG No dimensionality in result loss of detail, signal cancelation

  33. ALERT HighErrorRate IF sum(rate(request_errors_total[5m])) / sum(rate(requests_total[5m])) > 0.01 {} 1.8354 high error / low traffic total sum low error / high traffic

  34. ALERT HighErrorRate IF sum by(instance, path) (rate(request_errors_total[5m])) / sum by(instance, path) (rate(requests_total[5m])) > 0.01 {instance=”web-2”, path=”/api/comments”} 0.02435 {instance=”web-1”, path=”/api/comments”} 0.01055 {instance=”web-2”, path=”/api/profile”} 0.34124

  35. ALERT HighErrorRate IF sum by( instance , path) (rate(request_errors_total[5m])) / sum by( instance , path) (rate(requests_total[5m])) > 0.01 {instance=”web-2”, path=”/api/v1/comments”} 0.022435 ... WRONG Wrong dimensions aggregates away dimensions of fault-tolerance

  36. ALERT HighErrorRate IF sum by(instance, path) (rate(request_errors_total[5m])) / sum by(instance, path) (rate(requests_total[5m])) > 0.01 {instance=”web-2”, path=”/api/v1/comments”} 0.02435 ... instance 1 instance 2..1000

  37. ALERT HighErrorRate IF sum without (instance) (rate(request_errors_total[5m])) / sum without (instance) (rate(requests_total[5m])) > 0.01 {method=”GET”, path=”/api/v1/comments”} 0.02435 {method=”POST”, path=”/api/v1/comments”} 0.015 {method=”POST”, path=”/api/v1/profile”} 0.34124

  38. ALERT DiskWillFillIn4Hours IF predict_linear(node_filesystem_free{job='node'}[1h], 4*3600) < 0 FOR 5m ... -1h now +4h 0

  39. ALERT DiskWillFillIn4Hours IF predict_linear(node_filesystem_free{job='node'}[1h], 4*3600) < 0 FOR 5m ANNOTATIONS { summary = “device filling up”, description = “{{$labels.device}} mounted on {{$labels.mountpoint}} on {{$labels.instance}} will fill up within 4 hours.” }

  40. Alertmanager Aggregate, deduplicate, and route alerts

  41. Service Discovery Targets (Kubernetes, AWS, Consul, custom...) Prometheus Alertmanager Email, Slack, PagerDuty, OpsGenie, ...

  42. Alerting Rule Alerting Rule ... Alerting Rule Alerting Rule 04:11 hey, HighLatency, service=”X”, zone=”eu-west”, path=/user/profile, method=GET 04:11 hey, HighLatency, service=”X”, zone=”eu-west”, path=/user/settings, method=GET 04:11 hey, HighLatency, service=”X”, zone=”eu-west”, path=/user/settings, method=GET 04:11 hey, HighErrorRate, service=”X”, zone=”eu-west”, path=/user/settings, method=POST 04:12 hey, HighErrorRate, service=”X”, zone=”eu-west”, path=/user/profile, method=GET 04:13 hey, HighLatency, service=”X”, zone=”eu-west”, path=/index, method=POST 04:13 hey, CacheServerSlow, service=”X”, zone=”eu-west”, path=/user/profile, method=POST . . . 04:15 hey, HighErrorRate, service=”X”, zone=”eu-west”, path=/comments, method=GET 04:15 hey, HighErrorRate, service=”X”, zone=”eu-west”, path=/user/profile, method=POST

  43. Alerting Rule Alerting Rule ... Alerting Rule Alerting Rule Alert Manager You have 15 alerts for Service X Chat in zone eu-west 3x HighLatency PagerDuty 10x HighErrorRate JIRA 2x CacheServerSlow ... Individual alerts: ...

  44. Inhibition {alertname=”DatacenterOnFire”, severity=”page”, zone=”eu-west”} if active, mute everything else in same zone {alertname=”LatencyHigh”, severity=”page”, ..., zone=”eu-west”} ... {alertname=”LatencyHigh”, severity=”page”, ..., zone=”eu-west”} {alertname=”ErrorsHigh”, severity=”page”, ..., zone=”eu-west”} ... {alertname=”ServiceDown”, severity=”page”, ..., zone=”eu-west”}

  45. Anomaly Detection

  46. Practical Example 1 job:requests:rate5m = sum by(job) (rate(requests_total[5m])) job:requests:holt_winters_rate1h = holt_winters( job:requests:rate5m[1h], 0.6, 0.4 )

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Common Alerting Protocol (CAP) Presentation Outline 101.1 Opportunity and Challenge 101.2

Common Alerting Protocol (CAP) Presentation Outline 101.1 Opportunity and Challenge 101.2

Common Alerting Protocol (CAP) Presentation Outline 101.1 Opportunity and Challenge 101.2 Alerting Authorities 101.3 Benefits of CAP 101.4 Features of a CAP Message 101.5 CAP-enabled Alerting Systems 101.6 CAP Alert Hubs-- Free, Fast,

1.3k views • 63 slides
Time Series Analysis and Mining with R Time Series Decomposi- tion Time Series Forecasting

Time Series Analysis and Mining with R Time Series Decomposi- tion Time Series Forecasting

R and Time Series Data Time Series Analysis and Mining with R Time Series Decomposi- tion Time Series Forecasting Yanchang Zhao Time Series Clustering Time Series RDataMining.com Classification http://www.rdatamining.com/ R Functions

1.91k views • 42 slides
W HAT IS TIME SERIES D ATA ? W HAT IS TIME SERIES D ATA ? A value over time W HAT IS TIME

W HAT IS TIME SERIES D ATA ? W HAT IS TIME SERIES D ATA ? A value over time W HAT IS TIME

T IME S ERIES D ATA P APERS C OVERED Interactive Visualization of Serial Periodic Data John V. Carlis and Joseph A. Konstan Visualizing and Discovering Non-Trivial Patterns in Large Time Series Databases Jessica Lin, Eamonn Keogh,

764 views • 32 slides
Outline Time series and forecasting Time series objects 1 in R Basic time series functionality

Outline Time series and forecasting Time series objects 1 in R Basic time series functionality

Time series and forecasting in R 1 Time series and forecasting in R 2 Outline Time series and forecasting Time series objects 1 in R Basic time series functionality 2 The forecast package 3 Rob J Hyndman Exponential smoothing 4 ARIMA

714 views • 8 slides
Government to Citizen Mass Scale Government to Citizen Mass Scale Authorised Alerting, Alerting,

Government to Citizen Mass Scale Government to Citizen Mass Scale Authorised Alerting, Alerting,

Government to Citizen Mass Scale Government to Citizen Mass Scale Authorised Alerting, Alerting, Authorised by Cell Broadcasting Cell Broadcasting . . by Its about time Its about time . . By By Mark Wood,

656 views • 26 slides
Advanced alerting Break through your data Typical alert log view The art of alerting Challenges

Advanced alerting Break through your data Typical alert log view The art of alerting Challenges

Advanced alerting Break through your data Typical alert log view The art of alerting Challenges of alerting applications Challenges of alerting applications designed for complex designed for complex environments: environments: Not to miss

375 views • 20 slides
Introduction to Time Series Basic Concepts Time series concepts well cover Elements of

Introduction to Time Series Basic Concepts Time series concepts well cover Elements of

3/31/2010 Introduction to Time Series Basic Concepts Time series concepts well cover Elements of exploratory time series analysis Motivation, terminology and example Time series plots and classical decomposition Autocovariances

593 views • 26 slides
Time Series Representations for Better Data Mining What can we do with time series data?

Time Series Representations for Better Data Mining What can we do with time series data?

Time Series Representations for Better Data Mining What can we do with time series data? Clustering Anomaly (outlier) detection Forecasting What are the problems with time series data? Noise Concept-drift (trend-shift

122 views • 11 slides
Introduction to Time Series Heino Bohn Nielsen 1 of 15 Outline (1) What is a time series? (2)

Introduction to Time Series Heino Bohn Nielsen 1 of 15 Outline (1) What is a time series? (2)

Econometrics 2 Fall 2005 Introduction to Time Series Heino Bohn Nielsen 1 of 15 Outline (1) What is a time series? (2) Important characteristics of time series data. (3) Data sampling and stochastic processes. Cross-sectional data vs. time

374 views • 8 slides
Why do you care? Time-series data is all over the place. Time-Series Data Kaitlin Duck

Why do you care? Time-series data is all over the place. Time-Series Data Kaitlin Duck

Why do you care? Time-series data is all over the place. Time-Series Data Kaitlin Duck Sherwood CS 533c What is Time-Series Data? What is Time-Series Data? Lines. Usually periodic Source: van Wijk and van Selow, Cluster and

85 views • 4 slides
What the heck is time-series data (and why do I need a time-series database?) Ajay Kulkarni |

What the heck is time-series data (and why do I need a time-series database?) Ajay Kulkarni |

What the heck is time-series data (and why do I need a time-series database?) Ajay Kulkarni | Co-founder/CEO | ajay@timescale.com Fastest growing database category Source: DB Engines In this talk 1. What is time-series data? (hint: its

540 views • 36 slides
Working w ith more than one time series VISU AL IZIN G TIME SE R IE S DATA IN P YTH ON Thomas

Working w ith more than one time series VISU AL IZIN G TIME SE R IE S DATA IN P YTH ON Thomas

Working w ith more than one time series VISU AL IZIN G TIME SE R IE S DATA IN P YTH ON Thomas Vincent Head of Data Science , Ge y Images Working w ith m u ltiple time series An isolated time series A le w ith m u ltiple time series

505 views • 29 slides
Time Series A time series is a collection of data obtained by observing a response variable at

Time Series A time series is a collection of data obtained by observing a response variable at

ST 430/514 Introduction to Regression Analysis/Statistics for Management and the Social Sciences II Time Series A time series is a collection of data obtained by observing a response variable at various times. Examples The monthly Case-Shiller

351 views • 8 slides
ClickHouse for Time-Series Alexander Zaitsev Agenda What is special about time series What is

ClickHouse for Time-Series Alexander Zaitsev Agenda What is special about time series What is

ClickHouse for Time-Series Alexander Zaitsev Agenda What is special about time series What is ClickHouse How ClickHouse can be used for time series Altinity Background Premier provider of software and services for ClickHouse

897 views • 55 slides
Improved alerting with Prometheus and Alertmanager November 8th, 2019 PromCon Munich Important

Improved alerting with Prometheus and Alertmanager November 8th, 2019 PromCon Munich Important

Julien Pivotto @roidelapluie Improved alerting with Prometheus and Alertmanager November 8th, 2019 PromCon Munich Important notes! This talk contains PromQL. This talk contains YAML. What you will see was built over time.

1.25k views • 74 slides
Lecture 6 Discrete Time Series 9/21/2018 1 Discrete Time Series Stationary Processes A

Lecture 6 Discrete Time Series 9/21/2018 1 Discrete Time Series Stationary Processes A

Lecture 6 Discrete Time Series 9/21/2018 1 Discrete Time Series Stationary Processes A stocastic process (i.e. a time series) is considered to be strictly stationary if the properties of the process are not changed by a shift in origin. In

760 views • 33 slides
Where does CoreOS fit in? Automating Monitoring infrastructure Prometheus + Kubernetes

Where does CoreOS fit in? Automating Monitoring infrastructure Prometheus + Kubernetes

Alertmanager and high availability Frederic Branczyk Software Engineer at CoreOS Prometheus/Alertmanager/Kubernetes @brancz Where does CoreOS fit in? Automating Monitoring infrastructure Prometheus + Kubernetes What will I be talking

488 views • 29 slides
Privately Constraining and Programming PRFs, the LWE Way Chris Peikert Sina Shiehian PKC 2018

Privately Constraining and Programming PRFs, the LWE Way Chris Peikert Sina Shiehian PKC 2018

Privately Constraining and Programming PRFs, the LWE Way Chris Peikert Sina Shiehian PKC 2018 1 / 15 Constrained Pseudorandom Functions [KPTZ13,BW13,BGI14] 1 Ordinary evaluation algorithm Eval ( msk, x ) . 2 / 15 Constrained

916 views • 60 slides
Crypto API for Web Application Client-side Instances (aka web pages) Jeff Hodges

Crypto API for Web Application Client-side Instances (aka web pages) Jeff Hodges

Crypto API for Web Application Client-side Instances (aka web pages) Jeff Hodges channeling Stephen Farrell, Sean Turner, Peter Saint-Andre IETF Security Area and Applications Area Position Paper for W3C Workshop on Identity in the

244 views • 6 slides
Microsoft Teams: Remote Learning for Schools and Teachers Troy Waller, Microsoft Australia

Microsoft Teams: Remote Learning for Schools and Teachers Troy Waller, Microsoft Australia

Microsoft Teams: Remote Learning for Schools and Teachers Troy Waller, Microsoft Australia Education 28 th April, 2020 This webinar is part of DLTVs Online Teaching series in 2020. To receive our newsletter: dltv.vic.edu.au/subscribe To

549 views • 31 slides
IPAWS Alert Origination Service Provider Webinar Series Mark Lucero, Chief Engineer IPAWS

IPAWS Alert Origination Service Provider Webinar Series Mark Lucero, Chief Engineer IPAWS

IPAWS Alert Origination Service Provider Webinar Series Mark Lucero, Chief Engineer IPAWS Division mark.lucero@dhs.gov 202-646-1386 July 24, 2013 Agenda Concept and Purpose Technical Requirements Demonstrated The Scenario Flow and

298 views • 18 slides
Effjcient Monitoring and Root Cause Analysis in Complex Systems Witek Bedyk Agenda

Effjcient Monitoring and Root Cause Analysis in Complex Systems Witek Bedyk Agenda

Effjcient Monitoring and Root Cause Analysis in Complex Systems Witek Bedyk Agenda Benefjts of robust monitoring Measurements vs. Alarms Importance of Alarms Correlation Effective Alerting Self-healing Why is

725 views • 34 slides
Isolario: the real-time Internet routing observatory Alessandro Improta Luca Sani

Isolario: the real-time Internet routing observatory Alessandro Improta Luca Sani

Isolario: the real-time Internet routing observatory Alessandro Improta Luca Sani alessandro.improta@iit.cnr.it luca.sani@iit.cnr.it 1/40 What we aim to do Research field Internet inter-domain measurement and analysis Why? - 1969 -

571 views • 40 slides
Publish/Subscribe Hans-Arno Jacobsen Bell University Laboratory Chair in Software Engineering

Publish/Subscribe Hans-Arno Jacobsen Bell University Laboratory Chair in Software Engineering

MIDDLEWARE SYSTEMS RESEARCH GROUP Publish/Subscribe Hans-Arno Jacobsen Bell University Laboratory Chair in Software Engineering Middleware Systems Research Group University of Toronto 1 Amazon to Chapters to you ... . MIDDLEWARE SYSTEMS

860 views • 46 slides

More recommend