skyline.analyzer package¶
Submodules¶
skyline.analyzer.agent module¶
skyline.analyzer.alerters module¶
-
skyline_version
= 'Skyline (master v1.3.1 stable)'¶ Create any alerter you want here. The function will be invoked from trigger_alert.
Three arguments will be passed, two of them tuples: alert and metric, and context
alert: the tuple specified in your settings:
alert[0]: The matched substring of the anomalous metric
alert[1]: the name of the strategy being used to alert
alert[2]: The timeout of the alert that was triggered
metric: information about the anomaly itself
metric[0]: the anomalous value
metric[1]: The full name of the anomalous metric
metric[2]: anomaly timestamp
context: app name
-
get_graphite_render_uri
()[source]¶ Returns graphite render uri based on configuration in settings.py
-
alert_smtp
(alert, metric, context)[source]¶ Called by
trigger_alert()
and sends an alert via smtp to the recipients that are configured for the metric.
-
alert_pagerduty
(alert, metric, context)[source]¶ Called by
trigger_alert()
and sends an alert via PagerDuty
-
alert_hipchat
(alert, metric, context)[source]¶ Called by
trigger_alert()
and sends an alert the hipchat room that is configured in settings.py.
-
alert_syslog
(alert, metric, context)[source]¶ Called by
trigger_alert()
and log anomalies to syslog.
-
alert_stale_digest
(alert, metric, context)[source]¶ Called by
trigger_alert()
and sends a digest alert via smtp of the stale metrics to the default recipient
-
trigger_alert
(alert, metric, context)[source]¶ Called by
skyline.analyzer.Analyzer.spawn_alerter_process
to trigger an alert.Analyzer passes three arguments, two of them tuples. The alerting strategy is determined and the approriate alert def is then called and passed the tuples.
Parameters: - alert –
The alert tuple specified in settings.py.
alert[0]: The matched substring of the anomalous metric
alert[1]: the name of the strategy being used to alert
alert[2]: The timeout of the alert that was triggered
alert[3]: The second order resolution hours [optional for Mirage]
- meric –
The metric tuple.
metric[0]: the anomalous value
metric[1]: The full name of the anomalous metric
metric[2]: anomaly timestamp
- context (str) – app name
- alert –
skyline.analyzer.algorithms module¶
-
tail_avg
(timeseries)[source]¶ This is a utility function used to calculate the average of the last three datapoints in the series as a measure, instead of just the last datapoint. It reduces noise, but it also reduces sensitivity and increases the delay to detection.
-
median_absolute_deviation
(timeseries)[source]¶ A timeseries is anomalous if the deviation of its latest datapoint with respect to the median is X times larger than the median of deviations.
-
grubbs
(timeseries)[source]¶ A timeseries is anomalous if the Z score is greater than the Grubb’s score.
-
first_hour_average
(timeseries)[source]¶ Calcuate the simple average over one hour, FULL_DURATION seconds ago. A timeseries is anomalous if the average of the last three datapoints are outside of three standard deviations of this value.
-
stddev_from_average
(timeseries)[source]¶ A timeseries is anomalous if the absolute value of the average of the latest three datapoint minus the moving average is greater than three standard deviations of the average. This does not exponentially weight the MA and so is better for detecting anomalies with respect to the entire series.
-
stddev_from_moving_average
(timeseries)[source]¶ A timeseries is anomalous if the absolute value of the average of the latest three datapoint minus the moving average is greater than three standard deviations of the moving average. This is better for finding anomalies with respect to the short term trends.
-
mean_subtraction_cumulation
(timeseries)[source]¶ A timeseries is anomalous if the value of the next datapoint in the series is farther than three standard deviations out in cumulative terms after subtracting the mean from each data point.
-
least_squares
(timeseries)[source]¶ A timeseries is anomalous if the average of the last three datapoints on a projected least squares model is greater than three sigma.
-
histogram_bins
(timeseries)[source]¶ A timeseries is anomalous if the average of the last three datapoints falls into a histogram bin with less than 20 other datapoints (you’ll need to tweak that number depending on your data)
Returns: the size of the bin which contains the tail_avg. Smaller bin size means more anomalous.
-
ks_test
(timeseries)[source]¶ A timeseries is anomalous if 2 sample Kolmogorov-Smirnov test indicates that data distribution for last 10 minutes is different from last hour. It produces false positives on non-stationary series so Augmented Dickey-Fuller test applied to check for stationarity.
-
get_function_name
()[source]¶ This is a utility function is used to determine what algorithm is reporting an algorithm error when the record_algorithm_error is used.
-
record_algorithm_error
(algorithm_name, traceback_format_exc_string)[source]¶ This utility function is used to facilitate the traceback from any algorithm errors. The algorithm functions themselves we want to run super fast and without fail in terms of stopping the function returning and not reporting anything to the log, so the pythonic except is used to “sample” any algorithm errors to a tmp file and report once per run rather than spewing tons of errors into the log.
Note
- algorithm errors tmp file clean up
- the algorithm error tmp files are handled and cleaned up in
Analyzer
after all the spawned processes are completed.
Parameters: - algorithm_name (str) – the algoritm function name
- traceback_format_exc_string (str) – the traceback_format_exc string
Returns: True
the error string was written to the algorithm_error_fileFalse
the error string was not written to the algorithm_error_file
Return type: - boolean
skyline.analyzer.analyzer module¶
-
class
Analyzer
(parent_pid)[source]¶ Bases:
threading.Thread
The Analyzer class which controls the analyzer thread and spawned processes.
-
spawn_alerter_process
(alert, metric, context)[source]¶ Spawn a process to trigger an alert.
This is used by smtp alerters so that matplotlib objects are cleared down and the alerter cannot create a memory leak in this manner and plt.savefig keeps the object in memory until the process terminates. Seeing as data is being surfaced and processed in the alert_smtp context, multiprocessing the alert creation and handling prevents any memory leaks in the parent.
Added 20160814 relating to:
- Bug #1558: Memory leak in Analyzer
- Issue #21 Memory leak in Analyzer see https://github.com/earthgecko/skyline/issues/21
Parameters as per
skyline.analyzer.alerters.trigger_alert
-
spin_process
(i, unique_metrics)[source]¶ Assign a bunch of metrics for a process to analyze.
Multiple get the assigned_metrics to the process from Redis.
For each metric:
- unpack the raw_timeseries for the metric.
- Analyse each timeseries against ALGORITHMS to determine if it is anomalous.
- If anomalous add it to the Redis set analyzer.anomalous_metrics
- Add what algorithms triggered to the
self.anomaly_breakdown_q
queue - If
settings.ENABLE_CRUCIBLE
isTrue
:- Add a crucible data file with the details about the timeseries and anomaly.
- Write the timeseries to a json file for crucible.
Add keys and values to the queue so the parent process can collate for:
self.anomaly_breakdown_q
self.exceptions_q
-
run
()[source]¶ Called when the process intializes.
Determine if Redis is up and discover the number of unique metrics.
Divide the unique_metrics between the number of ANALYZER_PROCESSES and assign each process a set of metrics to analyse for anomalies.
Wait for the processes to finish.
Determine whether if any anomalous metrics require:
- Alerting on (and set EXPIRATION_TIME key in Redis for alert).
- Feed to another module e.g. mirage.
- Alert to syslog.
Populate the webapp json with the anomalous_metrics details.
Log the details about the run to the skyline analyzer log.
Send skyline.analyzer metrics to GRAPHITE_HOST
-