dt-obs-predictive-analytics

Compare original and translation side by side

🇺🇸

Original

English

🇨🇳

Translation

Chinese

Predictive Analytics Skill

预测分析技能

Forecast resource saturation, detect trends, analyze anomalies, and characterize signal behavior using DQL and Dynatrace analyzer tools.

借助DQL和Dynatrace分析工具，预测资源饱和度、检测趋势、分析异常并表征信号行为。

Analysis Disciplines

分析领域

#	Discipline	Use when …
1	Forecast and Prediction	Predicting future metric values for capacity planning, cost estimation, or proactive alerting
2	Detecting Changes	A metric shifted — find when the character of the signal changed, regardless of whether it crossed a limit
3	Detecting Violations	A metric is currently out of bounds — find entities that exceed or fall below an acceptable range
4	Timeseries Characteristics	Characterizing a signal's seasonality, noise level, and trend before further analysis

#	领域	适用场景……
1	预测与预报	为容量规划、成本估算或主动告警预测未来指标值
2	变化检测	指标发生“偏移”——找出信号特征发生变化的时间点，无论是否超出阈值
3	违规检测	指标当前“超出范围”——找出超出或低于可接受范围的实体
4	时间序列特征	在进一步分析前，表征信号的季节性、噪声水平和趋势

Choosing the Right Detection Tool

选择合适的检测工具

The single most important decision: are you asking "did this metric change?" or "is this metric currently wrong?"

Question	Tool	Why
"Did this metric change in the last N hours?"	`timeseries-novelty-detection`	Detects when the signal's character changed (spike, step, trend onset, variability shift) without requiring a known acceptable limit
"Which services spiked or dropped recently?"	`timeseries-novelty-detection` with `SPIKE` / `CHANGE_IN_VALUES`	Finds the specific entities and timestamps where change occurred; returns empty for stable signals
"When did CPU start trending up?"	`timeseries-novelty-detection` with `TREND_IN_VALUES`	Pinpoints the onset of a directional shift
"Which hosts are currently above 90% CPU?"	`static-threshold-analyzer`	Known fixed limit — fire alerts when exceeded
"Which services are currently above their usual load?"	`adaptive-anomaly-detector`	Learns the normal distribution from the data and flags sustained threshold violations
"Which services are high right now vs. their weekly pattern?"	`seasonal-baseline-anomaly-detector`	Accounts for time-of-day/day-of-week patterns before deciding what is anomalous

最重要的决策：你要问的是“这个指标是否发生了变化？”还是“这个指标当前是否异常？”

问题	工具	原因
“过去N小时内该指标是否发生变化？”	`timeseries-novelty-detection`	无需已知可接受阈值，即可检测信号特征发生变化的时间点（峰值、阶跃、趋势起始、波动性变化）
“哪些服务近期出现峰值或骤降？”	带 `SPIKE` / `CHANGE_IN_VALUES` 参数的 `timeseries-novelty-detection`	找出发生变化的具体实体和时间戳；信号稳定时返回空结果
“CPU何时开始呈上升趋势？”	带 `TREND_IN_VALUES` 参数的 `timeseries-novelty-detection`	精确定位方向性变化的起始点
“哪些主机当前CPU使用率超过90%？”	`static-threshold-analyzer`	已知固定阈值——超出时触发告警
“哪些服务当前负载高于常规水平？”	`adaptive-anomaly-detector`	从数据中学习正常分布，标记持续的阈值违规
“哪些服务当前流量与每周模式相比异常偏高？”	`seasonal-baseline-anomaly-detector`	在判断异常前，会考虑时段/星期几的模式

Decision rule in plain language

通俗决策规则

Use
timeseries-novelty-detection
when the question contains "changed", "shifted", "spiked", "dropped", "started", "when did", or "did anything unusual happen". The tool answers whether a change occurred and when. It requires no predefined threshold.
Use an anomaly detector (
```
adaptive
```
,
```
seasonal
```
, or
```
static
```
) when the question is about ongoing or current state relative to an expected range: "which are highest", "who is violating", "what is above X". These tools count violation samples inside a sliding window — they confirm how long something has been bad, not whether the signal changed.

Pitfall: Running
adaptive-anomaly-detector
on a broad fleet to answer "which service changed load?" typically flags every service that has any variation, producing low-signal results. Use
timeseries-novelty-detection
first to identify entities where the load character genuinely shifted, then use the anomaly detectors to measure the severity of those specific signals.

使用
timeseries-novelty-detection
：当问题包含“变化”“偏移”“峰值”“骤降”“开始”“何时”或“是否发生异常”时。该工具回答是否发生变化以及何时发生变化，无需预定义阈值。
使用异常检测器（
```
adaptive
```
、
```
seasonal
```
或
```
static
```
）：当问题涉及当前或持续状态与预期范围的对比时，例如“哪些指标最高”“哪些实体违规”“哪些指标超过X”。这些工具会统计滑动窗口内的违规样本——它们确认异常持续了多久，而非信号是否发生变化。

误区：在大规模集群上运行
adaptive-anomaly-detector
来回答“哪些服务负载发生变化？”通常会标记所有存在任何波动的服务，产生低价值结果。应先使用
timeseries-novelty-detection
识别负载特征真正发生变化的实体，再使用异常检测器衡量这些特定信号的严重程度。

When to Use This Skill

何时使用本技能

Capacity: "Which hosts will hit 90% CPU in the next 30 days?"
Forecast: "Forecast service request volume for the next 7 days"
Trend: "Is memory usage growing across our Kubernetes nodes?"
Anomaly: "Which services have unusual error rates right now?"
Baseline: "How does today's traffic compare to last week?"
Signal profile: "Is this metric seasonal or trending before I set up alerting?"

容量规划：“哪些主机将在未来30天内达到90% CPU使用率？”
预测：“预测未来7天的服务请求量”
趋势分析：“Kubernetes节点的内存使用率是否在增长？”
异常检测：“哪些服务当前错误率异常？”
基线对比：“今日流量与上周相比如何？”
信号特征分析：“在设置告警前，该指标是否具有季节性或趋势性？”

Important Constraints

重要约束

Dynatrace Forecast Analyzer supports univariate forecasting only — predicting one metric based on its own historical values. Multivariate forecasting (using multiple metrics as inputs) requires external tools (Python, R, Azure AutoML).

Tooling Rule: Run analyses using Dynatrace tools:

timeseries-forecast

adaptive-anomaly-detector

seasonal-baseline-anomaly-detector

static-threshold-analyzer

, and

timeseries-novelty-detection

. Use

execute-dql

for DQL queries.

Result Analysis Rule: Always analyse and summarise results directly from the raw tool output. Derive all numbers, trends, and conclusions inline.

Dynatrace预测分析器仅支持单变量预测——基于自身历史值预测单个指标。多变量预测（使用多个指标作为输入）需要外部工具（Python、R、Azure AutoML）。

工具规则：使用Dynatrace工具运行分析：

timeseries-forecast

、

adaptive-anomaly-detector

、

seasonal-baseline-anomaly-detector

、

static-threshold-analyzer

和

timeseries-novelty-detection

。使用

execute-dql

执行DQL查询。

结果分析规则：始终直接从工具原始输出中分析和总结结果。所有数值、趋势和结论都应直接推导得出。

Result Presentation Format

结果呈现格式

Always present forecast results as a structured table:

Column	Content
Rank	🥇 🥈 🥉 ordered by urgency or magnitude
Signal / Entity	Metric name and entity or dimension
Last Actual	Most recent non-null value from the historical series
Forecast	Point forecast at the end of the horizon
Range	Lower – Upper confidence band at the same horizon point
Trend	% change from Last Actual to Forecast: 🔴 >+20% / 🟠 +5–20% / 🟢 ±5% stable / 🔵 −5–20% declining / ⚫ <−20% sharp drop
Action	✅ No action / ⚠️ Monitor / 🔴 Act now

Always follow the table with a Key Findings section (3–5 bullet points, ranked by priority).

预测结果始终以结构化表格呈现：

列名	内容
优先级	🥇 🥈 🥉 按紧急程度或影响程度排序
信号/实体	指标名称及实体或维度
最新实际值	历史序列中最近的非空值
预测值	预测周期结束时的点预测值
置信区间	同一预测时间点的下限–上限置信区间
趋势	从最新实际值到预测值的变化百分比：🔴 >+20% / 🟠 +5–20% / 🟢 ±5% 稳定 / 🔵 −5–20% 下降 / ⚫ <−20% 骤降
行动建议	✅ 无需行动 / ⚠️ 监控 / 🔴 立即处理

表格后始终跟随关键发现部分（3–5个要点，按优先级排序）。

Core DQL Techniques

核心DQL技巧

DQL has no native

forecast

function. For forward-looking forecasts, use

timeseries-forecast

(see

references/forecasting-analyzer.md

DQL没有原生的

forecast

函数。如需前瞻性预测，请使用

timeseries-forecast

（参见

references/forecasting-analyzer.md

）。

Key DQL Rules

关键DQL规则

```
timeseries
```
returns arrays — one value per time slot per entity
```
arrayLast(arr)
```
= most recent value;
```
arrayFirst(arr)
```
= oldest

Growth =

(arrayLast - arrayFirst) / number_of_intervals

Always
```
filter isNotNull(field)
```
before sorting to avoid null ordering issues
Use
```
toLong()
```
when dividing
```
Long
```
fields to avoid type errors
Use
```
dt.smartscape.*
```
not deprecated
```
dt.entity.*
```
in DQL display fields; use
```
dt.smartscape.*
```
in
```
by:{}
```
grouping clauses for entity-level queries

```
timeseries
```
返回数组——每个实体每个时间槽对应一个值
```
arrayLast(arr)
```
= 最新值；
```
arrayFirst(arr)
```
= 最早值

增长率 =

(arrayLast - arrayFirst) / number_of_intervals

排序前始终使用
```
filter isNotNull(field)
```
以避免空值排序问题
分割
```
Long
```
类型字段时使用
```
toLong()
```
以避免类型错误
在DQL显示字段中使用
```
dt.smartscape.*
```
而非已弃用的
```
dt.entity.*
```
；在实体级查询的
```
by:{}
```
分组子句中使用
```
dt.smartscape.*
```

Standard Query Patterns

标准查询模式

Moving Average Trend

移动平均趋势

dql

timeseries cpu = avg(dt.host.cpu.usage), from: now()-24h, interval: 1h, by: {dt.smartscape.host}
| fieldsAdd moving_avg = arrayMovingAvg(cpu, 4)
| fieldsAdd current = arrayLast(cpu)
| fieldsAdd trend = arrayLast(cpu) - arrayFirst(cpu)
| filter isNotNull(current)
| sort trend desc
| limit 20
| fields dt.smartscape.host, current, trend, moving_avg

dql

timeseries cpu = avg(dt.host.cpu.usage), from: now()-24h, interval: 1h, by: {dt.smartscape.host}
| fieldsAdd moving_avg = arrayMovingAvg(cpu, 4)
| fieldsAdd current = arrayLast(cpu)
| fieldsAdd trend = arrayLast(cpu) - arrayFirst(cpu)
| filter isNotNull(current)
| sort trend desc
| limit 20
| fields dt.smartscape.host, current, trend, moving_avg

Saturation Risk Classification

饱和度风险分类

dql

timeseries cpu = avg(dt.host.cpu.usage), from: now()-7d, interval: 1h, by: {dt.smartscape.host}
| fieldsAdd p95 = arrayPercentile(cpu, 95)
| fieldsAdd saturation_risk = if(p95 > 85, "HIGH", else: if(p95 > 70, "MEDIUM", else: "LOW"))
| filter isNotNull(p95)
| sort p95 desc
| fields dt.smartscape.host, p95, saturation_risk

dql

timeseries cpu = avg(dt.host.cpu.usage), from: now()-7d, interval: 1h, by: {dt.smartscape.host}
| fieldsAdd p95 = arrayPercentile(cpu, 95)
| fieldsAdd saturation_risk = if(p95 > 85, "HIGH", else: if(p95 > 70, "MEDIUM", else: "LOW"))
| filter isNotNull(p95)
| sort p95 desc
| fields dt.smartscape.host, p95, saturation_risk

Days to Saturation Forecast

饱和剩余天数预测

dql

timeseries cpu = avg(dt.host.cpu.usage), from: now()-30d, interval: 1d, by: {dt.smartscape.host}
| fieldsAdd current = arrayLast(cpu)
| fieldsAdd daily_growth = (arrayLast(cpu) - arrayFirst(cpu)) / 30
| filter isNotNull(current)
| fieldsAdd days_to_saturation = if(daily_growth > 0, toLong((90 - current) / daily_growth), else: 9999)
| sort days_to_saturation asc
| limit 20
| fields dt.smartscape.host, current, daily_growth, days_to_saturation

dql

timeseries cpu = avg(dt.host.cpu.usage), from: now()-30d, interval: 1d, by: {dt.smartscape.host}
| fieldsAdd current = arrayLast(cpu)
| fieldsAdd daily_growth = (arrayLast(cpu) - arrayFirst(cpu)) / 30
| filter isNotNull(current)
| fieldsAdd days_to_saturation = if(daily_growth > 0, toLong((90 - current) / daily_growth), else: 9999)
| sort days_to_saturation asc
| limit 20
| fields dt.smartscape.host, current, daily_growth, days_to_saturation

Anomaly Scoring

异常评分

dql

timeseries cpu = avg(dt.host.cpu.usage), from: now()-24h, interval: 1h, by: {dt.smartscape.host}
| fieldsAdd baseline_avg = arrayAvg(cpu)
| fieldsAdd current = arrayLast(cpu)
| fieldsAdd anomaly_score = if(isNotNull(current) and isNotNull(baseline_avg), abs(current - baseline_avg), else: 0)
| sort anomaly_score desc
| limit 20
| fields dt.smartscape.host, current, baseline_avg, anomaly_score

dql

timeseries cpu = avg(dt.host.cpu.usage), from: now()-24h, interval: 1h, by: {dt.smartscape.host}
| fieldsAdd baseline_avg = arrayAvg(cpu)
| fieldsAdd current = arrayLast(cpu)
| fieldsAdd anomaly_score = if(isNotNull(current) and isNotNull(baseline_avg), abs(current - baseline_avg), else: 0)
| sort anomaly_score desc
| limit 20
| fields dt.smartscape.host, current, baseline_avg, anomaly_score

Metric Discovery

指标发现

Before forecasting, discover available metrics by keyword:

dql

metrics from: now() - 1h
| filter contains(metric.key, "cpu")
| summarize count(), by: {metric.key}
| sort `count()` desc

预测前，按关键词发现可用指标：

dql

metrics from: now() - 1h
| filter contains(metric.key, "cpu")
| summarize count(), by: {metric.key}
| sort `count()` desc

Reference Guides

参考指南

references/forecasting-analyzer.md
—
```
timeseries-forecast
```
tool: data requirements, parameter reference, interval selection, horizon limits, common pitfalls
references/capacity-forecasting.md
— CPU/memory/disk/K8s saturation forecasts; multi-resource risk scoring; days-to-saturation DQL patterns

references/anomaly-scoring.md
—

adaptive-anomaly-detector

seasonal-baseline-anomaly-detector

static-threshold-analyzer

; DQL deviation scoring

references/novelty-detection.md
—
```
timeseries-novelty-detection
```
tool: spike, drop, step change, trend onset, and variability change detection; all novelty types; parameter reference; worked examples
references/trend-detection.md
—
```
timeseries-novelty-detection
```
for trend onset and change points; week-over-week joins; growth rate and acceleration detection

references/forecasting-analyzer.md
—
```
timeseries-forecast
```
工具：数据要求、参数参考、时间间隔选择、预测范围限制、常见陷阱
references/capacity-forecasting.md
— CPU/内存/磁盘/K8s饱和度预测；多资源风险评分；饱和剩余天数DQL模式