We are trying to prevent additional support ticket volume after we've detected a major incident for a client so we would like to know as early as possible if volume is unusual. If I set my buckets to 30m we would get an early alert, but due to multi bucket anomalies this will alert every 30 minutes throughout several hours on some days. We are going to change to 60m in order to prevent alert fatigue because if we over alert they will just get ignored.
Do you happen to know the answer to my original question? Does a multi-bucket score get recalculated for a past bucket once new data is available or does the multi-bucket impact score get calculated once?
Sometimes I notice multi-bucket anomalies don't begin with a score of -5. The will have 0.2 or something. Is it because the model looked back up to 12 buckets (6 or 12 hours before) and saw something?
Also, why would I only choose where only the multi-bucket impact is -5? Why not 0 or -3 or even 3? I'm concerned some alerts won't go through because we completely ignored multi-bucket impacts. I'm not sure what the best selection is here.
Ever consider giving users the option to turn off multi-bucket anomaly detection?