anomaly detection

Monitoring: Why Smart Alerts Beat Smart Algorithms

Sébastien Puyet

Sébastien Puyet

4 min read
Monitoring: Why Smart Alerts Beat Smart Algorithms

Everyone's building AI-powered anomaly detection these days. Machine learning models trained on your metrics, neural networks that understand your seasonal patterns, algorithms that promise to catch the unknown unknowns. It's impressive tech, and the demos look fantastic.

But here's what the vendors won't tell you: 90% of server outages still come from the same five predictable patterns that have been killing systems for decades. You don't need a PhD in data science to catch them.

The AI Anomaly Detection Problem

I've watched teams deploy sophisticated anomaly detection systems only to turn them off six months later. The problem isn't the technology, it's the noise. Machine learning thrives on finding patterns, and server metrics are full of them. Your CPU spikes every time the backup runs. Memory usage jumps when users actually show up on Monday morning. Disk I/O goes crazy during log rotation.

All of these are anomalies in the statistical sense, which means your fancy algorithm dutifully alerts on every single one. What started as a solution to alert fatigue becomes the primary cause of it.

The math looks good on paper. In practice, you're getting paged at 3 AM because the machine learning model detected that your web server is handling more traffic than usual. Congratulations, your business is successful and your monitoring system thinks that's a problem.

The 90% Rule: Five Patterns That Actually Matter

After watching servers melt down for the better part of two decades, I can tell you that most outages follow depressingly predictable patterns. Here are the big five:

1. Disk Space Death Spiral

The classic. Your logs grow, your database expands, your temp files accumulate. At 85% full, performance starts degrading. At 95%, things get weird. At 100%, everything stops.

You don't need machine learning to catch this. You need a threshold alert at 80% and another at 90%. That's it.

2. Memory Leak Massacre

Something slowly consumes all available RAM over hours or days. Could be a buggy application, a runaway process, or just normal growth hitting a limit. The pattern is always the same: steady climb, sudden cliff.

A simple trend alert catches this better than any neural network. If memory usage increases by X% over Y hours, someone needs to look.

3. The Load Average Explosion

Your server gets hit with more work than it can handle. Maybe traffic spiked, maybe a batch job went rogue, maybe someone decided to run a backup during peak hours. Load average shoots up, response times crater.

Another threshold problem. You know your server's limits. Alert when you're approaching them.

4. The Network Partition

Connectivity issues between services cause cascading failures. Database can't reach the cache, API can't reach the database, users can't reach anything. The monitoring usually shows everything as "up" right until it isn't.

This one's trickier, but it's still about patterns. Response times increase before things fail completely. Connection errors spike. You can catch this with basic service checks and latency monitoring.

5. The Dependency Domino Effect

A shared service fails and takes everything else with it. The database locks up, the message queue fills up, the CDN goes down. Your application might be perfectly healthy, but it can't function without its dependencies.

Service dependency mapping helps here, but honestly, most of the time you can predict the critical paths. Monitor the things that everything else depends on more aggressively.

Smart Alerting Without the ML Complexity

Instead of throwing machine learning at the problem, build alerting rules that adapt to your actual environment. This isn't about being anti-AI, it's about being practical.

Context-Aware Thresholds

Your CPU usage at 2 AM should trigger different alerts than the same usage at 2 PM. Don't train a model on this, just set different thresholds for different time windows. Most monitoring systems can handle time-based rules without breaking a sweat.

Progressive Alert Escalation

Start with loose thresholds for early warnings, tighten them for immediate action. Disk space at 70%? Send an email. At 85%? Page someone. At 95%? Wake up the whole team. Simple, predictable, effective.

Composite Conditions

Alert when multiple related metrics move together. High CPU and high load average and increasing response times? That's a pattern worth investigating. High CPU alone? Maybe just a backup running.

Most monitoring platforms support compound conditions. Use them.

Silence the Expected

This is where a little intelligence goes a long way. If you know the backup runs at midnight and CPU always spikes, suppress those alerts during that window. If you know traffic drops on weekends, adjust your thresholds accordingly.

You're not building AI, you're encoding operational knowledge.

The Real Anomaly Detection

Here's the thing about real anomalies: they're usually obvious when they happen. The mysterious, subtle issues that require machine learning to detect are relatively rare. Most problems announce themselves loudly if you're listening for the right signals.

The disk fills up. Memory runs out. CPU gets pegged. Dependencies fail. These aren't subtle patterns that require algorithmic sophistication to detect. They're the digital equivalent of a house fire, and you don't need a neural network to smell smoke.

What you need is reliable alerting on the fundamentals, delivered at the right time to the right people with enough context to take action. That's harder than it sounds, but it doesn't require a data science team.

Getting Started

Pick your top five services. The ones that hurt when they're down. Figure out their failure modes. Disk space, memory, CPU, dependencies, whatever kills them most often. Set up simple, reliable alerts for those patterns.

Test them. Make sure they fire when they should and stay quiet when they shouldn't. Tune the thresholds based on real incidents, not theoretical models.

Once you've got solid coverage of the obvious stuff, then maybe consider more sophisticated approaches for the edge cases. But don't skip the fundamentals in pursuit of algorithmic elegance.

The goal isn't to build the smartest monitoring system. It's to build the most reliable one. Sometimes that means choosing simple rules over sophisticated algorithms, and that's perfectly fine.

After all, if basic server monitoring patterns are giving you trouble, tools like fivenines make it straightforward to set up those essential alerts without the machine learning overhead. Sometimes the best solution is the one that just works.

Read more