Anomaly Detection

LogFlow automatically detects unusual patterns in your logs — no manual threshold configuration required.

How it works

Every 5 minutes, LogFlow compares your current log metrics against a 7-day historical baseline (same time-of-day window, excluding today). If the deviation is significant enough, an anomaly event is created and you're notified.

Anomaly types

Error rate spike

Triggered when the error rate in the last 5 minutes is 3× higher than the baseline, with at least 5 errors.

Volume spike

Triggered when log volume is 5× higher than baseline with at least 100 logs. Usually indicates a traffic burst or logging loop.

Volume drop (silence)

Triggered when log volume drops to less than 20% of baseline. Indicates a service may be down or stopped sending logs.

Two-strike rule

To avoid false positives from single-tick anomalies, LogFlow requires two consecutive checks (10 minutes) before firing. Once resolved, it also requires two consecutive normal checks before marking as recovered.

ℹ️

New projects with no 7-day baseline use absolute thresholds instead: ≥30% error rate with ≥10 errors triggers critical, ≥15% with ≥5 errors triggers warning.

AI explanation

When an anomaly is detected, LogFlow uses Claude Haiku to generate a 2-3 sentence explanation of the likely cause, based on the anomaly type, current metrics, and sample error messages. The explanation is included in notifications and shown in the Anomalies page.

Notifications

Anomaly notifications are sent to all channels configured in your project's alerts. The notification includes:

Anomaly type and severity (warning / critical)
Current value vs baseline
AI-generated explanation
Link to view logs at the time of the anomaly

A recovery notification is sent when the anomaly resolves.

Alerts

Service Map