Robust anomaly threshold: median + 5×MAD
MEDIAN_ABSOLUTE_DEVIATION resists outliers, unlike standard deviation — the median + 5×MAD threshold yields reliable alert bounds per service.
Prerequisites
Elasticsearch 8.12+, Kibana
SQL
FROM "metrics-app-*"
| WHERE @timestamp >= NOW() - 7 days
| STATS
mesures = COUNT(*),
mediane = ROUND(MEDIAN(response.time_ms), 1),
mad = ROUND(MEDIAN_ABSOLUTE_DEVIATION(response.time_ms), 1)
BY service.name
| EVAL seuil_anomalie = ROUND(mediane + 5 * mad, 1)
| WHERE mesures > 1000
| KEEP service.name, mediane, mad, seuil_anomalie
| SORT seuil_anomalie DESCResult
service.name | mediane | mad | seuil_anomalie -------------+---------+------+--------------- checkout-api | 184.2 | 62.4 | 496.2 search-api | 88.7 | 31.0 | 243.7 catalog-api | 41.2 | 12.8 | 105.2 auth-svc | 35.8 | 8.1 | 76.3
MADAnomalieSeuil dynamiqueAlerting