Types of anomalous behavior

  • Release version: Yokohama
  • Updated January 30, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Types of anomalous behavior

    Anomalous behavior in Configuration Items (CIs) or services signals potential issues, such as spikes in message frequency or unusual values. ServiceNow identifies anomalies by monitoring log streams to establish baselines for patterns, metrics, and gauges over various time periods (hourly, daily, weekly, or unlimited). Any behavior deviating from these learned baselines is considered anomalous.

    Show full answer Show less

    Key Concepts of Anomalous Behavior

    • Pattern: Repeating values or rates in text, time, or relationships.
    • Meter: Numeric or text values representing discrete properties like status or response codes.
    • Gauge: Continuous numerical values indicating resource consumption, such as CPU or memory usage.

    How Anomalies Appear in Service Operations Workspace

    The Anomaly card visually illustrates anomalous activity with a blue line representing recent anomalies. Shaded areas display expected baseline behavior: light shading for the learned baseline, peach shading for the same hour one day earlier, and pink shading for the same period one week earlier. Users can click the information icon to understand how the anomaly was detected, helping to quickly identify deviations from normal behavior.

    Kinds of Anomalies

    ServiceNow recognizes several types of anomalous behavior, including:

    • New behavior: Patterns never seen before; these alerts do not include charts.
    • Signal dead (stopped appearing): No log data or patterns from a source for at least five minutes.
    • Signal alive (appearing again): Previously dead sources begin producing data again.
    • Anomaly above or below average: Activity differing from expected baseline metrics for patterns, meters, or gauges.
    • Baseline reference increase or decrease: Changes compared to one-hour or one-week baselines.
    • Correlation of severity and keyword alerts: Increased volume of alerts with specific severity levels or keywords.

    Anomalous behavior in a CI or a service can indicate an important issue. For example, a spike in the frequency or number of messages of a particular type can indicate a problem.

    Understanding anomalies

    To build models of expected behavior, the system monitors the log stream to learn baselines for patterns, metrics, and gauges over various time periods. Time periods can be hourly, daily, weekly, or unlimited. Behavior that departs from the learned models is considered anomalous behavior.

    Types of log property

    Pattern
    A pattern is a value or rate that repeats, whether in text, time, or relationships.
    Meter
    A meter property is a numeric or text value. For example, a status code, a response code, an action, or a pattern.
    Gauge
    A gauge property has a numerical value that is reported continuously. Gauge properties represent operations that consume resources. For example, CPU usage, memory usage, or response time.

    How anomalies appear in the Service Operations Workspace

    The Anomaly card illustrates the anomalous activity that led to the alert.
    • The blue line shows the recent anomalous activity.
    • On some charts, the lightly shaded area indicates the expected (learned baseline) behavior.

      A peach-shaded area represents the baseline values for the same hour one day earlier. A pink-shaded area shows the values for the same period in the previous week.

    • Click the information icon to see how the anomaly was identified: Information icon.
    In this example, the peach-shaded area shows the same data for the same hour one day earlier. The spike in the metric value (events per minute) is clearly visible.
    Figure 1. Anomaly card
    Anomaly card identifies and illustrates anomalous behavior.

    Kinds of anomalies

    Table 1. Some of the kinds of anomalies
    Behavior Description
    New behavior A pattern that has not ever been seen. The New Behavior alert type does not display a chart.
    Signal dead/Stopped appearing All pattern or log data from a source has stopped. There has been no signal for at least five minutes.
    Signal alive/Appearing again A pattern or log data from a "dead" source is appearing again​. For a baseline of one hour, a pattern is "dead" if it appears less than once per minute.
    Anomaly above average or below average Activity that deviates from expected baseline behavior for pattern or meter or gauge metrics, such as keywords metrics or severity metrics.
    Baseline reference​ increase or decrease An increase or decrease in the value or volume of a log property as compared to the one-hour or one-week baseline.
    Correlation of severity and keyword alerts An increase in the volume of a severity level or keyword.