Types of anomalous behavior in Health Log Analytics

  • Release version: Zurich
  • Updated July 31, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Types of anomalous behavior in Health Log Analytics

    Health Log Analytics helps ServiceNow customers detect important issues by identifying anomalous behavior in Configuration Items (CIs) or services through log data analysis. Anomalies are deviations from learned baseline patterns in log streams, indicating potential problems such as spikes in message frequency or unusual metric values.

    Show full answer Show less

    Key Concepts of Anomalous Behavior

    The system builds models of expected behavior by learning baselines over various time periods—hourly, daily, weekly, or unlimited. Anomalies appear when observed behavior deviates from these baselines.

    Log properties monitored include:

    • Pattern: Repeating values or rates in text, time, or relationships.
    • Meter: Numeric or text values such as status or response codes.
    • Gauge: Continuously reported numerical values representing resource usage (e.g., CPU, memory, response time).

    How Anomalies Are Displayed

    The Anomaly card visualizes anomalous activity with:

    • A blue line indicating recent anomalous activity.
    • Light shading representing the expected baseline behavior.
    • Peach shading showing baseline values for the same hour one day earlier.
    • Pink shading for values during the same period in the previous week.

    Users can click the information icon on the card to understand how the anomaly was identified.

    Types of Anomalies Detected

    • New behavior: Detection of a pattern never seen before (no chart displayed).
    • Signal dead/Stopped appearing: No log data from a source for at least five minutes.
    • Signal alive/Appearing again: Resumption of log data from a previously "dead" source.
    • Anomaly above or below average: Activity deviates from expected baseline for patterns, meters, or gauges.
    • Baseline reference increase or decrease: Changes in value or volume compared to one-hour or one-week baselines.
    • Correlation of severity and keyword alerts: Increase in volume of severity levels or keyword occurrences.

    Anomalous behavior in a CI or a service can indicate an important issue. For example, a spike in the frequency or number of messages of a particular type can indicate a problem.

    Understanding anomalies

    To build models of expected behavior, Health Log Analytics monitors the log stream to learn baselines for patterns, metrics, and gauges over various time periods. Time periods can be hourly, daily, weekly, or unlimited. Behavior that departs from the learned models is considered anomalous behavior.

    Types of log property

    Pattern
    A pattern is a value or rate that repeats, whether in text, time, or relationships.
    Meter
    A meter property is a numeric or text value. For example, a status code, a response code, an action, or a pattern.
    Gauge
    A gauge property has a numerical value that is reported continuously. Gauge properties represent operations that consume resources. For example, CPU usage, memory usage, or response time.

    How anomalies appear in Health Log Analytics

    The Anomaly card illustrates the anomalous activity that led to the alert.
    • The blue line shows the recent anomalous activity.
    • On some charts, the lightly shaded area indicates the expected (learned baseline) behavior.

      A peach-shaded area represents the baseline values for the same hour one day earlier. A pink-shaded area shows the values for the same period in the previous week.

    • Click the information icon to see how the anomaly was identified: Information icon.
    In this example, the peach-shaded area shows the same data for the same hour one day earlier. The spike in the metric value (events per minute) is clearly visible.
    Figure 1. Anomaly card
    Anomaly card identifies and illustrates anomalous behavior.

    Kinds of anomalies

    Table 1. Some of the kinds of anomalies
    Behavior Description
    New behavior A pattern that has not ever been seen. The New Behavior alert type does not display a chart.
    Signal dead/Stopped appearing All pattern or log data from a source has stopped. There has been no signal for at least five minutes.
    Signal alive/Appearing again A pattern or log data from a "dead" source is appearing again​. For a baseline of one hour, a pattern is "dead" if it appears less than once per minute.
    Anomaly above average or below average Activity that deviates from expected baseline behavior for pattern or meter or gauge metrics, such as keywords metrics or severity metrics.
    Baseline reference​ increase or decrease An increase or decrease in the value or volume of a log property as compared to the one-hour or one-week baseline.
    Correlation of severity and keyword alerts An increase in the volume of a severity level or keyword.