Unomaly core concepts

Unomaly is a software product that automatically analyzes log data from software systems and detects anomalies in their data. This topic introduces core concepts for using Unomaly.

High level diagram


Systems are the originating sources of the log events that Unomaly analyzes. The sources may be a server, container, or application. You can configure systems to send their data to Unomaly using log shippers, standard data protocols such as syslog, or one of our pre-built integrations to collect data from other technologies. Read more about "How to send data to Unomaly".

Systems can be organized into Groups to give you an overview of your data for related systems. Groups lets you monitor and investigate across multiple related systems. Read more about how to "Manage systems and groups".


Unomaly learns the structure of all incoming events and builds a library of profiles for each event. Event profiles are created during training for the system and continuously updated as the system receives more data. New incoming events are matched against the learned profiles to determine whether they have been seen before or are new anomalies. Read more about "How Unomaly detects anomalies".


Anomalies are the changes in your log data that falls outside of the normal patterns identified by Unomaly. Unomaly detects anomalies based on the log event structure that it parses and based on the frequency changes or the stops of periodic log events. Read more about "How Unomaly detects anomalies" and how to "Investigate Anomalies".


If Unomaly repeatedly sees a log event, the log event becomes part of the learned events for a system and will no longer be highlighted by Unomaly. In some cases where the log event is important enough to track and keep highlighting, you can create a known for the log event. Creating a known means that you add contextual information, such as descriptions and tags to explain what the event means and how to resolve it. You can:

  • Specify how you want Unomaly to treat the event, such as whether or not to add it to a situation and assign it a score.
  • Filter on knowns and define actions to notify you when Unomaly detects the event.

Read more about how to "Define knowns to highlight log events".


Unomaly clusters anomalies that occurred within a rolling 60 second time period on a single system into a situation. Each situation has a score to indicate the type of anomaly that is most significant in the situation and the amount of anomalies. Read more about how to "Investigate Situations".


Actions let you define how Unomaly responds to triggers and conditions in systems and situations. When one of your systems goes offline or when the. production environment produces significant anomalies, you want Unomaly to take action. This action can be to send an email to a specific user, to post to a team chat room, or to flag the event for you to review later. Read more about how to "Configure actions and notifications".

You can add a custom action to post to external solutions, such as a team chat room. Unomaly provides integrations and plugins to common solutions, such as Slack, PagerDuty and Microsoft Teams, which you can install and configure to use with actions. See Unomaly Integrations and Plugins.