Types of anomalous behavior in Health Log Analytics

  • Release version: Australia
  • Updated March 12, 2026
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Types of anomalous behavior in Health Log Analytics

    Health Log Analytics helps ServiceNow customers detect important issues by identifying anomalous behavior in Configuration Items (CIs) or services through log analysis. It builds models of expected behavior by monitoring log streams and learning baselines over various time periods (hourly, daily, weekly, or unlimited). Any deviation from these learned baselines is classified as anomalous behavior, enabling proactive alerting to potential problems.

    Show full answer Show less

    Types of Log Properties

    • Pattern: Repeating values or rates in log data, including text, time, or relational patterns.
    • Meter: Numeric or text properties such as status codes, response codes, or actions.
    • Gauge: Continuously reported numerical values representing resource-consuming operations like CPU usage, memory usage, or response time.

    How Anomalies Appear in Health Log Analytics

    The Anomaly card visualizes anomalous activity that triggers alerts by displaying recent anomalous data, the expected baseline behavior, and baseline values from one day and one week earlier. For example, a spike in the average number of events per minute for a typically inactive log pattern is detected as an anomaly, prompting an alert.

    Kinds of Anomalies

    • New behavior: Detection of a previously unseen pattern; this alert type does not include a chart.
    • Signal dead/Stopped appearing: All log data from a source has ceased for at least five minutes.
    • Signal alive/Appearing again: Log data or patterns reappear from a previously "dead" source, defined as appearing less than once per minute over an hour baseline.
    • Anomaly above average or below average: Deviations in activity from expected baselines for patterns, meters, or gauges, such as keyword or severity metric changes.
    • Baseline reference increase or decrease: Changes in the value or volume of log properties compared to one-hour or one-week baselines.
    • Correlation of severity and keyword alerts: Increases in volume of severity levels or keyword occurrences.

    Anomalous behavior in a CI or a service can indicate an important issue. For example, a spike in the frequency or number of messages of a particular type can indicate a problem.

    To build models of expected behavior, Health Log Analytics monitors the log stream to learn baselines for patterns, metrics, and gauges over various time periods. Time periods can be hourly, daily, weekly, or unlimited. Behavior that departs from the learned models is considered anomalous behavior.

    Types of log property

    Pattern
    A pattern is a value or rate that repeats, whether in text, time, or relationships.
    Meter
    A meter property is a numeric or text value. For example, a status code, a response code, an action, or a pattern.
    Gauge
    A gauge property has a numerical value that is reported continuously. Gauge properties represent operations that consume resources. For example, CPU usage, memory usage, or response time.

    How anomalies appear in Health Log Analytics

    The Anomaly card illustrates the anomalous activity that led to the alert. The chart shows:
    • Recent anomalous activity
    • Expected behavior (the learned baseline)
    • Baseline values from one day earlier
    • Baseline values from the previous week
    In this example, the system tracks the baseline rate (the average number of events per minute) for a specific log pattern. When this typically inactive log generates a spike in events, the system detects the deviation from the baseline and generates an alert.
    Figure 1. Anomaly card
    Anomaly card identifies and illustrates anomalous behavior.

    Kinds of anomalies

    Table 1. Some of the kinds of anomalies
    Behavior Description
    New behavior A pattern that has not ever been seen. The New Behavior alert type does not display a chart.
    Signal dead/Stopped appearing All pattern or log data from a source has stopped. There has been no signal for at least five minutes.
    Signal alive/Appearing again A pattern or log data from a "dead" source is appearing again​. For a baseline of one hour, a pattern is "dead" if it appears less than once per minute.
    Anomaly above average or below average Activity that deviates from expected baseline behavior for pattern or meter or gauge metrics, such as keywords metrics or severity metrics.
    Baseline reference​ increase or decrease An increase or decrease in the value or volume of a log property as compared to the one-hour or one-week baseline.
    Correlation of severity and keyword alerts An increase in the volume of a severity level or keyword.