Skip to content

Glossary

Rule Statistic

Depending on the data rate of the input signals to a rule and the size of the evaluation window, a rule may be assessed with raw signal values or aggregations of signal values. The rule statistic determines which aggregation of data will be used, when necessary.

Rule statistic options:
  • Mean: Assesses the rule using the average value of a signal for a given period of time.
  • Min: Assesses the rule using the minimum value of a signal for a given period of time.
  • Max: Assesses the rule using the maximum value of a signal for a given period of time.

Rule Condition

The mathematical expression which determines what kinds of signal behaviors will result in a True assessment of a rule.

Rule condition options:
  • Greater than > : Causes a rule assessment to be True when the signal value is greater than the rule value.
  • Greater than or equal to >= : Causes a rule assessment to be True when the signal value is greater than or equal to the rule value.
  • Less than \< : Causes a rule assessment to be True when the signal value is less than the rule value.
  • Less than or equal to \<= : Causes a rule assessment to be True when the signal value is less than or equal to than the rule value.
  • Equals = : Causes a rule assessment to be True when the signal value exactly equals the rule value.
  • Does not equal != : Causes a rule assessment to be True when the signal value is any value except the rule value.

Rule Value

The numeric value or categorical label which will be used, along with the rule condition, to assess the rule threshold.

Evaluation Window

The window of time for which the rule threshold will be assessed. The evaluation window is a sliding window, which means that as rules are periodically assessed, the evaluation windows will overlap.

As you configure a rule, the evaluation window will help you tune how long a behavior should continue before it is noteworthy. Some behaviors may happen quickly, implying a shorter evaluation window, whereas other behaviors may only be noteworthy if they continue for some time, implying a longer evaluation window.

Density

The percentage of the evaluation window for which the signal value must meet the rule threshold to generate a True assessment. The period of time which meets the rule threshold does not need to be continuous.

Examples:
  • If the evaluation window is 10 minutes, and the density setting is 20%, then a rule will generate a True assessment if 2 minutes across the 10 minute evaluation window meet the rule threshold.
  • If the evaluation window is 10 minutes, and the density setting is 100%, then a rule will generate a True assessment if the rule threshold is met for the entire 10 minute evaluation window.

Coverage

The coverage setting only applies to rules with more than 1 input signal. When a rule has more than 1 input signal, the coverage setting determines the number of input signals which must meet the rule threshold in a specific evaluation window to generate a True assessment.

All input signals to a rule share evaluation windows, but each signal is evaluated separately. This means that signals do not need to meet the rule threshold simultaneously to generate a True assessment, only that signals meet the threshold in the same evaluation window.

Examples:
  • If a rule has 10 input signals, and the coverage setting is 50%, then an evaluation window in which any 5 of the signals individually meet the rule threshold will generate a True assessment.
  • If a rule has 10 input signals, and the coverage setting is 100%, then only an evaluation window in which all 10 signals individually meet the rule threshold will generate a True assessment.

Alert

Alerts are a tool to manage the rate of rule assessment outputs. When signal behavior generates True rule assessments, the initial True assessment is important, but subsequent true assessments may not provide additional useful information as an issue is being investigated and triaged. Additionally, a rule may be used to create a record of signal behavior which is useful over time, but does not require immediate attention. For example, a rule may be used to count how many times a process is initiated each day, which is useful to track productivity, but does not require immediate attention.

There are 4 alerting options.
  • Never: this rule will never create an alert.
  • Once per day, at most: If it has been at least 24 hours since the most recent alert, the next time the rule assessment is True, an alert will be created.
  • Once per hour, at most: If it has been at least one hour since the most recent alert, the next time the rule assessment is True, an alert will be created.
  • Every time: An alert will be created every time the rule assessment is True.
Additional details on the once per day and once per hour options.
  • Alerts are generated when a rule assessment changes from False to True for the first time after the specified time has passed since the most recent previous alert.
  • For example, if the alert settings is "once per hour, at most," True rule assessments at 8:00 AM, 8:30 AM, and 9:05 AM will generate 2 alerts, one at 8:00 AM and one at 9:05 AM. No alert would be generated associated with the True assessment at 8:30 AM.
  • If a rule is continuously generating True assessments, only the first True assessment will produce an Alert, even if the True assessment period lasts longer than the Alert setting.
  • For example, if the Alert setting is "Once per hour, at most," and the rule generates True assessments for 2 hours continuously, only one alert will be generated, at the time of the first True rule assessment