Overalerting—generating a high volume of false-positive or low-value alerts—is one of the most common problems when configuring anomaly detection. Receiving too many false alerts has a number of potential consequences and might lead to:
This page introduces best practices for configuring
Anomaly Detection that help you keep your alert volume down to meaningful alarms and your team responsive.
Identify false positive alerts
Create the initial configuration with relaxed thresholds
Choose the suitable detection model
Alert on aggregated data
Use the sliding window to prevent sequential alert spam
Use large aggregation windows for sparse log pattern signals
Use built-in event correlation to merge related alerts
Disable long-running violating alerts
Use Info and Warning events to observe your environment
Review and remove alerts that create noise
An alert exists to signal an abnormal state–a state that rarely occurs under healthy operating conditions, in no more than 0.1% of observed time. This threshold gives you a measurable criterion for deciding whether a new alert reflects a genuine problem or is creating noise.
For a single service monitored continuously:
A well-calibrated alert for a healthy service is typically created once or twice per month, with each alert firing representing a short-lived but valid anomaly. If a service alerts 100 times within 24 hours, the alert is created for a normal operating state of that service rather than an abnormal state.
When an alert consistently exceeds the 0.1% threshold, there are two possible explanations:
A chronic alert that nobody investigates contributes significantly to alert noise. It trains your team to ignore that alert source entirely, including the moment when the alert creates a genuine, urgent incident.
Use the 0.1% threshold rule as a diagnostic during alert reviews: look up the alerting history of each active detector in
Anomaly Detection and flag any detector where problem events account for more than 0.1% of the review period as a candidate for reconfiguration or service remediation.
To get a quick ranked view of which alert configurations are generating the most events–including a direct back-reference to the settings object so you can navigate straight to the detector–run the following query in
Notebooks or
Dashboards:
fetch dt.davis.events| filter not in(event.category, {"INFO", "WARNING"})| summarize alerts = count(), by:{event.name, dt.settings.object_id, dt.smartscape_source.id}| sort alerts desc
The query excludes informational and warning events to focus on events that have raised problems, groups them by detector name and source entity, and sorts by total alerting count. The dt.settings.object_id field contains the identifier of the anomaly detection configuration that produced each event, which you can use to navigate directly to the offending detector in
Anomaly Detection for reconfiguration or removal.
When you create a new anomaly detector, begin with a less sensitive threshold rather than a stricter one. You can increase sensitivity at any point once you understand how your data behaves, but recovering from alert fatigue requires additional time and effort.
Alert fatigue is harder to address than having too few alerts. Once your team starts dismissing alerts because a lot of them are false positives, rebuilding trust in the alert source takes time, even after the configuration has been corrected.
To ensure that you fully understand your data behavior before using stricter thresholds, we recommend that you take the following approach:
To learn more about adjusting the sensitivity of built-in anomaly detectors, see Adjust the sensitivity of anomaly detection.
Dynatrace offers different anomaly detection models. Choosing the right model for your data pattern reduces false positives before any threshold tuning takes place.
| Data pattern | Recommended model | Why |
|---|---|---|
Hard saturation limit: CPU, disk, fixed error rate ceiling. | The anomaly detector fires an alert only when a predefined boundary is crossed. The model doesn't need a prior learning period and there's no risk of the baseline drifting past the established limit. | |
Repeating daily or weekly patterns driven by human behavior: traffic, transactions, request rates. | The model learns the normal shape of your data across time-of-day and day-of-week cycles, so a midday traffic spike doesn't trigger an alert on a Sunday night or holiday baseline. | |
Gradual drift or entity-level variance: response times across many services. | The model adjusts the baseline per entity and continuously adapts as normal behavior shifts over time. |
If you're not sure which model to use, we encourage you to favor the seasonal baseline for user-facing metrics. Human behavior is, by nature, periodic, and a static threshold that seems right during peak hours will either generate false positives at night or miss real problems during peak hours if set too conservatively.
For an overview of all available models, see Anomaly Detection app.
Splitting an alert on high-cardinality dimensions, such as individual app versions, Kubernetes pods, or HTTP status codes, causes your alert count to scale with the number of dimension values. This leads to:
Assume that you have configured an anomaly detector for counting frontend error split by app version, which fires a separate alert for each version of the app:
timeseries avg(dt.frontend.error.count), by:{app.short_version}
This configuration fires alerts for any new and old versions, which creates noise by increasing the amount of false positive alerts. To fix the configuration, you should use a query that alerts you on the aggregated error count across all active versions:
timeseries avg(dt.frontend.error.count)
A spike in the aggregated error count is noticeable, and your team can promptly act upon it. The root cause analysis–which specific app version introduced the regression–can follow as a downstream step, such as an agentic investigation triggered by the problem event after the incident has been confirmed.
High-cardinality splits don't just generate more alerts–they generate more outdated, stale alerts. Old app versions with anomalous historical data can fire indefinitely for signals that are no longer monitored.
To learn more about scoping your queries effectively, see Anomaly Detection DQL writing guide and Use segments with custom alerts.
Without a controlled alert delay, a metric that fluctuates around a threshold can produce dozens of individual alerts within a single hour, each opening and closing every few minutes. This results in a cluttered problem feed and a notification stream that trains your team to ignore alerts.
To avoid cluttering, we recommend that you use the sliding window parameter, setting a condition that a threshold must be breached for a minimum number of consecutive evaluation samples before a problem opens. A reliable starting point is 3 violating samples out of any 5 minutes.
One sustained open alert is easier to manage than 30 short-lived alerts that open and close every 2 minutes. By keeping a problem open for longer, you:
Dynatrace keeps the problem event open until the dealerting criterion is met–by default, the criterion is 5 consecutive non-violating samples. This means threshold fluctuations add new violations to an existing problem instead of opening a new one, which further reduces overall alert volume.
If your alert keeps opening and closing repeatedly, we recommend that you increase the required violation count for the sliding window instead of raising the threshold.
To learn more about configuring the sliding window, see Anomaly detection configuration.
Security and fraud detectors often rely on logs rather than metrics. A typical detector looks for a recurring pattern in log lines–failed login attempts, requests from a known bad actor IP address, or repeated access to a sensitive endpoint–and alerts you when the occurrence count crosses an established threshold.
Suppose you want to alert on such patterns. They are, by default, sparse and erratic. A single failed login attempt is an expected background noise, while thousands of failed attempts within an hour might indicate a credential stuffing attack. The problem is that the raw event stream fluctuates heavily from minute to minute, which makes minute-by-minute evaluation unreliable. In such a scenario, you get false positives when a short burst of legitimate retries briefly exceeds a low threshold, but also get missed detections when the attack spreads across a longer time window.
To avoid redundant noise and increased number of false positives caused by raw event stream fluctuations, we recommend using a records-based custom alert that aggregates the occurrence count over a 60-minute window with a matching 60-minute query execution delay. This means that, once every hour, a custom alert evaluates the total count of matching log events detected during that hour. This provides a more stable and accurate result than the per-minute sampling offered by the timeseries-based custom alert.
Below is the example of the DQL query for a failed login detector:
fetch logs, from: now() - 60m| filter matchesPhrase(content, "authentication failed") or matchesPhrase(content, "failed login")| summarize failed_login_count = count()| filter failed_login_count > 500
With Data type set to Records and Delay set to 60 Minutes, this query runs once every hour. If the total count of matching log lines in the past hour exceeds the threshold, a problem is raised. If the count stays below it, as it would during normal background noise, no problem is opened.
The same pattern of 60-minute delay and 60-minute query window can be applied to other sparse log signals:
A 60-minute aggregation window paired with a 60-minute execution delay reduces query execution cost: instead of the custom alert running 60 times per hour at the default 1-minute interval, it runs only once per hour. For log-heavy environments, this difference can be significant.
To learn more about the records data type and the Delay parameter, see Anomaly detection configuration. For more examples using records-based custom alert, see Monitor daily LLM cost burn rate using records-based custom alerts.
Before you adjust any configuration, we encourage you to learn what Dynatrace does automatically by default. Dynatrace Intelligence offers a set of built-in event correlation rules that combine individual alerts into a single problem based on shared topology fields. These rules are applied to every incoming event without any prior setup required.
The same Smartscape entity rule groups all events that share the same dt.smartscape_source.id field value. Since this rule has a matching condition set to true by default, it applies to every event regardless of the entity type. Any two alerts that reference the same
Smartscape entity and arrive within the established timeframe are merged into a single problem.
When you configure the event template of a custom alert, make sure to set the dt.smartscape_source.id field to an existing Smartscape entity ID, like a host or service entity ID rather than an arbitrary string. Using an existing entity ID allows the correlation engine to:
Aside from the universal rule, Dynatrace provides topology-aware rules that merge events of different entity types that share the same source topology node. This mechanism prevents a cascading failure from creating a separate problem for each of the affected entities. Below are some examples of the grouping fields and potential entity types that can be merged, separated by the observability app.
| Grouping field | Entity types merged | Example |
|---|---|---|
|
| A disk-full alert and a process crash on the same host create one problem based on the source node (host). |
|
| A container CPU alert and a process alert within the same container are merged together. |
|
| A service error-rate alert and a process alert for the same process group are merged together. |
| Grouping field | Entity types merged |
|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Since a Kubernetes environment can have many short-lived pods and frequent rollouts, these rules reduce alert volume and noise: alerts from a pod, its containers, and the node it runs on are all candidates for merging into a single problem.
On top of the correlation rules, Dynatrace applies additional deduplication mechanisms that help further reduce the noise and the problem count:
When combined, correlation rules and deduplication layers help you reduce the number of problems a properly configured custom alert produces compared to the raw number of individual alerts raised without the rules and deduplication applied. To learn more about how event correlation and deduplication work, see Event analysis and correlation.
A problem that has been continuously violating the threshold and has remained open for weeks or months signals that the underlying custom alert is misconfigured or monitoring something that no longer exists. Unlike a genuine incident that your team works to resolve using time and effort, a long-running violating alert typically has two characteristics:
Suppose your synthetic monitor has been configured to test a web application that has been taken down at some point. In this scenario, the monitor will fail on every execution while continuously consuming monitoring capacity. At the same time, the resulting problem will stay open indefinitely as a constant false positive.
The optimal solution in this case is to disable or delete the custom alert, since it'll automatically:
Before you disable a custom alert, make sure that the source of detected anomalies is really gone and not just temporarily unavailable. A long outage and a decommissioned service can look identical from the alert perspective.
Long-running open problems are a useful indicator that can help with your regular alert reviews—you can sort open problems by age and treat any problem open for more than a few weeks without an active owner as a candidate for investigation and cleanup.
Some of the monitored conditions provide useful information but aren't impactful enough to raise a problem. An alert you're still calibrating, a metric you're observing to learn trends without committing to an SLO, or a condition that violates regularly but isn't yet actionable—all of these benefit from being captured and stored in Grail without creating a problem.
Dynatrace supports two non-problem-raising event types you can set in the event template of any custom alert:
CUSTOM_INFO: a purely informational event. It's stored in Grail, visible on entity pages, and can be queried with DQL or used in dashboards and workflow triggers. An info event never opens a problem on its own.WARNING: an event signaling a potential future problem. Warnings are highlighted in yellow in the UI and can appear as additional context inside an existing problem. Much like CUSTOM_INFO event type, they don't open a new problem. A warning event is a point-in-time signal, so it has no Active or Close duration.Both event types have the lowest severity level–SEV-5. For more information about severity levels and their meaning, see Standardized event severity. To learn more about the existing event types, see Event categories.
Setting the event.type value to CUSTOM_INFO or WARNING instead of CUSTOM_ALERT in the event template of a custom alert gives you full observability of the alerting condition. Every violation is recorded in the dt.davis.events field without cluttering your problem feed or creating noise.
While CUSTOM_INFO and WARNING events don't open problems, event correlation and deduplication rules apply to them the same way as the other event types. Multiple CUSTOM_INFO events from the same source that are active at the same time are merged into a single event rather than stored as duplicates.
Below are some of the practical uses of the non-problem-raising events:
CUSTOM_INFO for the first two to four weeks.dt.davis.events to see how often the custom alert creates an event and whether the configured threshold needs adjustment. To do so, use the following query:fetch dt.davis.events| filter in(event.category, {"INFO", "WARNING"})| filter event.name == "High failed login rate - observation"| summarize firing_count = count(), by: { bin(timestamp, 24h) }
event.type value to CUSTOM_ALERT once you're confident in the configuration.If an observed condition violates the threshold regularly because an underlying issue is known and tracked elsewhere (for example, in a backlog ticket), use WARNING to keep the signal visible in dashboards and prevent the related problem from being constantly reopened. This will reduce the noise and number of false positive alerts your team receives.
Workflows can be triggered by any Davis event type, including CUSTOM_INFO and WARNING. You can route a non-problem-raising event to a Slack channel or create a Jira ticket without the event appearing in the
Problems.
Alert configurations drift over time. Because of service changes, traffic pattern shifts, and team restructures, an alert that was well-tuned six months ago might be triggered constantly now, or not trigger at all. We recommend that you establish a regular review period (for example, once every quarter) to audit your active configurations in
Anomaly Detection. You should focus on the following alerts:
A smaller, well-maintained alert library with a high signal-to-noise ratio produces more accurate and effective results than a large alert library that contains noise-creating configurations and produces a significant number of false positives.
Anomaly Detection