Amazon CloudWatch
User Guide

The AWS Documentation website is getting a new look!
Try it now and let us know what you think. Switch to the new look >>

You can return to the original look by selecting English in the language selector above.

Creating a CloudWatch Alarm Based on Anomaly Detection

You can create an alarm based on CloudWatch anomaly detection, which mines past metric data and creates a model of expected values. The expected values take into account the typical hourly, daily, and weekly patterns in the metric.

You set a value for the anomaly detection threshold, and CloudWatch uses this threshold with the model to determine the "normal" range of values for the metric. A higher value for the threshold produces a thicker band of "normal" values.

You can choose whether the alarm is triggered when the metric value is above the band of expected values, below the band, or either above or below the band.

For more information, see Using CloudWatch Anomaly Detection.

Note

If you create an anomaly detection alarm on a metric that you're already using anomaly detection for in the Metrics console for visualization purposes, the threshold that you set for the alarm doesn't change the threshold that you're already using for visualization. For more information, see Creating a Graph.

To create an alarm based on anomaly detection

  1. Open the CloudWatch console at https://console.aws.amazon.com/cloudwatch/.

  2. In the navigation pane, choose Alarms, Create Alarm.

  3. Choose Select Metric and do one of the following:

    • Choose the service namespace that contains the metric that you want. To narrow the choices, continue choosing options as they appear. When a list of metrics appears, select the check box next to the metric that you want.

    • In the search box, enter the name of a metric, dimension, or resource ID and press Enter. Then choose one of the results and continue until a list of metrics appears. Select the check box next to the metric that you want.

  4. Choose the Graphed metrics tab.

    1. Under Statistic , choose one of the statistics or predefined percentiles, or specify a custom percentile (for example, p95.45).

    2. Under Period, choose the evaluation period for the alarm. When evaluating the alarm, each period is aggregated into one data point. For anomaly detection alarms, the value must be one minute or longer.

      You can also choose whether the y-axis legend appears on the left or right while you're creating the alarm. This preference is used only while you're creating the alarm.

    3. Choose Select metric.

      The Specify metric and conditions page appears, showing a graph and other information about the metric and statistic you have selected.

  5. Under Conditions, specify the following:

    1. Choose Anomaly detection.

      If the model for this metric and statistic already exists, CloudWatch displays the anomaly detection band in the sample graph at the top of the screen. If the model does not already exist, the model will be generated when you finish creating the alarm. It takes up to 15 minutes for the actual anomaly detection band generated by the model to appear in the graph. Before that, the band you see is an approximation of the anomaly detection band. To see the graph in a longer time frame, choose Edit at the top right of the page.

    2. For Whenever metric is, specify whether the metric must be greater than, lower than, or outside (in either direction) the band to trigger the alarm.

    3. For Anomaly detection threshold, choose the number to use for the anomaly detection threshold. A higher number creates a thicker band of "normal" values that is more tolerant of metric changes, and a lower number creates a thinner band that will go to ALARM state with smaller metric deviations. The number does not have to be a whole number.

    4. Choose Additional configuration. For Datapoints to alarm, specify how many evaluation periods (data points) must be in the ALARM state to trigger the alarm. If the two values here match, you create an alarm that goes to ALARM state if that many consecutive periods are breaching.

      To create an M out of N alarm, specify a lower number for the first value than you specify for the second value. For more information, see Evaluating an Alarm.

    5. For Missing data treatment, choose how to have the alarm behave when some data points are missing. For more information, see Configuring How CloudWatch Alarms Treat Missing Data.

    6. If the alarm uses a percentile as the monitored statistic, a Percentiles with low samples box appears. Use it to choose whether to evaluate or ignore cases with low sample rates. If you choose ignore (maintain alarm state), the current alarm state is always maintained when the sample size is too low. For more information, see Percentile-Based CloudWatch Alarms and Low Data Samples.

  6. Choose Next.

  7. Under Notification, select an SNS topic to notify when the alarm is in ALARM state, OK state, or INSUFFICIENT_DATA state.

    To have the alarm send multiple notifications for the same alarm state or for different alarm states, choose Add notification.

    To have the alarm not send notifications, choose Remove.

  8. To have the alarm perform EC2 actions, choose the appropriate button and choose the alarm state and action to perform.

  9. When finished, choose Next.

  10. Enter a name and description for the alarm. The name must contain only ASCII characters. Then choose Next.

  11. Under Preview and create, confirm that the information and conditions are what you want, then choose Create alarm.

Modifying an Anomaly Detection Model

Once you have created an alarm, you can adjust the anomaly detection model. You can exclude certain time periods from being used in the model creation. It is critical that you exclude unusual events such as system outages, deployments, and holidays from the training data. You can also specify whether to adjust the model for daylight savings time changes.

To adjust the anomaly detection model for an alarm

  1. Open the CloudWatch console at https://console.aws.amazon.com/cloudwatch/.

  2. In the navigation pane, choose Alarms.

  3. Choose the name of the alarm. Use the search box to find the alarm if necessary.

  4. Choose View in metrics.

  5. In the lower part of the screen, choose Edit model.

  6. To exclude a time period from being used to produce the model, choose Add another time range to exclude from training. Then select or enter the days and times to exclude from training, and choose Apply.

  7. If the metric is sensitive to daylight savings time changes, select the appropriate time zone in the Metric timezone box.

  8. Choose Update.

Deleting an Anomaly Detection Model

Using anomaly detection for an alarm accrues AWS charges. If you no longer need an anomaly detection model for an alarm, you should delete the alarm and then the model. If you delete the model without deleting the alarm, the alarm automatically recreates the model.

To delete an alarm

  1. Open the CloudWatch console at https://console.aws.amazon.com/cloudwatch/.

  2. In the navigation pane, choose Alarms.

  3. Choose the name of the alarm.

  4. Choose Actions, Delete.

To delete the anomaly detection model that had been used for an alarm

  1. Open the CloudWatch console at https://console.aws.amazon.com/cloudwatch/.

  2. In the navigation pane, choose Metrics.

  3. On the All metrics tab, enter a search term in the search field, such as a metric name or resource name, and press Enter.

    For example, if you search for the CPUUtilization metric, you see the namespaces and dimensions with this metric.

  4. In the results, select the metric that had the anomaly detection model.

  5. Choose the Graphed metrics tab.

  6. In the lower part of the screen, choose Edit model and then Delete model.