In this article we will go through common concepts that we work with in the Timeseries Insights API and try to provide an intuitive explanation on what they represent.


An event is a data point and the raw input that the Timeseries Insights API works with. Conceptually it represents either an action being carried out by some agent (e.g. a transaction by a client or the publishing of a news article) or an observation (e.g. the readings of a temperature sensor, or CPU usage on a machine).

An event contains:

  • A set of values across different dimensions, representing properties which describe the event, such as labels or numerical measurements.
  • A timestamp representing the time when the event occurred. This timestamp will be used when placing events onto a time series.
  • A group id.


A dimension represents a property type for the events in a data set and the domain of values it can take. A dimension can be:

  • Categorical. An event property on this dimension can hold one of a limited/finite values, usually strings. Examples include: the country or publisher name in a data set with news articles, the machine name in a data set with production monitoring data.
  • Numerical. A measurement or a general numerical property for an event. Examples: number of page views for news articles, CPU usage or number of errors for production monitoring data.


A dataset is a collection of events.


Events can be grouped together by specifying the same group id (see Event.groupId).

The purpose of the group is to compute correlations between events from the same group, but the current version of the API does not expose this functionality. For example, if your dataset holds monitoring data (such as CPU%, RAM, etc), then a group could hold all the monitoring data from one process. That would eventually allow us to detect that an increase in CPU% is correlated with another event, such as a binary version update at a previous moment in time.

If unsure, or if not interested in computing these types of correlations, then each event should have a globally unique group id.


A slice is the subset of all events from a dataset that have the same values across some categorical dimensions.

For example, let's consider we have a data set with the sales from an international retailer and each event is a sale that has these categorical dimensions: the country where the sale occurred, the name of the product, the name of the company that made the product. Example of slices in this case are: all the sales for a given product, all the sales from a given country for all the products made by a given company.

Time series

The time series we work with are discrete, composed of points at fixed time intervals. The length of the time intervals between consecutive time series points is called the granularity of the time series.

A time series is computed by:

  • For a given slice, accumulate all events in the [detectionTime - TimeseriesParams.forecastHistory, detectionTime + granularity] time interval.
  • Group these events, based on their timestamp. An event E is assigned to a point that starts at time T if E.eventTime is in the [T, T + granularity] time interval.
  • Aggregate, for every point in the time series, the events based on the specified metric (TimeseriesParams.metric), which represents the value for those points.

Time series point

Each time series point has an associated time and value.

The value of the point is given by the metric (TimeseriesParams.metric), which denotes a numerical dimension in the accumulated events at that point that will be aggregated. If no metric is specified, the value for the point is the number of events accumulated at that point.


The process of predicting future values for a given time series.


The holdout is the last portion of the time series (exact length decided internally) that is used to evaluate how well our forecasting model performs. If we have higher forecast errors during the holdout period, we will reduce the confidence of our forecast by widening the forecast bounds.


We will forecast the values of a time series starting from the detection time up to the time horizon (given by the ForecastParams.horizon_time field).

Intuitively, this field tells us how much in the future we should forecast. While we are mostly interested in the value of the detection point when classifying a slice as an anomaly, we allow extra points to be forested as it may provide useful information for the user.

Detection time and detection point

The detection time (specified by QueryDataSetRequest.detectionTime) is the point in time that we are analyzing for any potential anomalies.

The detection point is the time series point at the detection time.


A slice is marked as an anomaly if, after forecasting, we have a predicted value at the detection point that is outside the expected range based on the specified sensitivity.

What's next