How can I create a CloudWatch alarm based on anomaly detection using the AWS CLI?

Short description

When you activate anomaly detection for a metric, CloudWatch applies machine-learning algorithms to the metric's historical data to create a model of the metric's expected values.

The model generates two metrics that represent:

• The upper band of normal metric behavior
• The lower band of normal metric behavior, with a default value of two standard deviations

To learn more, see How CloudWatch anomaly detection works.

Resolution

Note: If you receive errors when running AWS CLI commands, make sure that you’re using the most recent AWS CLI version.

1.    Create a JSON file to set a CloudWatch alarm based on anomaly detection:

{
  "AlarmActions": [
    "arn:aws:sns:us-east-1:397466294846:test1"
  ],
  "AlarmName": "MyAlarmName",
  "AlarmDescription": "This alarm uses an anomaly detection model",
  "Metrics": [
    {
      "Id": "m1",
      "ReturnData": true,
      "MetricStat": {
        "Metric": {
          "MetricName": "NetworkIn",
          "Namespace": "AWS/EC2",
          "Dimensions": [
            {
              "Name": "InstanceId",
              "Value": "i-0e1830cdc0447f6b9"
            }
          ]
        },
        "Stat": "Average",
        "Period": 60
      }
    },
    {
      "Id": "t1",
      "Expression": "ANOMALY_DETECTION_BAND(m1, 3)"
    }
  ],
  "EvaluationPeriods": 2,
  "ThresholdMetricId": "t1",
  "ComparisonOperator": "LessThanLowerOrGreaterThanUpperThreshold"
}

In this file:

• The Id of m1 is assigned to the NetworkIn metric of an instance. t1 is the anomaly detection model function for the NetworkIn metric. The model uses three standard deviations to set the width of the band.
• ThresholdMetricId is set to t1, and ComparisonOperator is set to LessThanLowerOrGreaterThanUpperThreshold. These settings make sure that the alarm goes into alarm state when the metric value is outside the anomaly model band in either direction for two consecutive evaluation periods.

2.    Save the JSON file as anomaly-alarm.json. Then, run the following command to create an alarm with the anomaly detection band specified in the file:

$ aws cloudwatch put-metric-alarm --cli-input-json file://anomaly-alarm.json

The model is generated when you finish creating the alarm. The band that you see in the graph initially is an approximation of the anomaly detection band. It might take up to 15 minutes for the anomaly detection band generated by the model to appear in the graph.

Related information

Creating a CloudWatch alarm based on anomaly detection