‹ Plugins / MAD-Based Anomaly Detection
Data-write

MAD-Based Anomaly Detection

The MAD Check plugin delivers real-time anomaly detection at ingest, using Median Absolute Deviation to catch outliers as data lands in InfluxDB 3. It helps teams spot abnormal behavior early, cut alert noise, and respond faster, with configurable thresholds and built-in notifications for infrastructure, IoT, and other fast moving telemetry.

Configuration

Plugin parameters may be specified as key-value pairs in the --trigger-arguments flag (CLI) or in the trigger_arguments field (API) when creating a trigger. Some plugins support TOML configuration files, which can be specified using the plugin’s config_file_path parameter.

If a plugin supports multiple trigger specifications, some parameters may depend on the trigger specification that you use.

Plugin metadata

This plugin includes a JSON metadata schema in its docstring that defines supported trigger types and configuration parameters. This metadata enables the InfluxDB 3 Explorer UI to display and configure the plugin.

Required parameters

Parameter Type Default Description
measurement string required Source measurement to monitor for anomalies
mad_thresholds string required MAD threshold conditions. Format: field:k:window_count:threshold
senders string required Dot-separated list of notification channels (e.g., “slack.discord”)

MAD threshold parameters

Component Description Example
field_name The numeric field to monitor temp
k MAD multiplier for anomaly threshold 2.5
window_count Number of recent points for MAD computation 20
threshold Count (integer) or duration (e.g., “2m”, “1h”) 5 or 2m

Multiple thresholds are separated by @: temp:2.5:20:5@load:3:10:2m

Optional parameters

Parameter Type Default Description
influxdb3_auth_token string env var API token for InfluxDB 3 (or use INFLUXDB3_AUTH_TOKEN env var)
state_change_count string “0” Maximum allowed value flips before suppressing notifications
notification_count_text string see Default notification templates Template for count-based alerts with variables: $table, $field, $threshold_count, $tags
notification_time_text string see Default notification templates Template for duration-based alerts with variables: $table, $field, $threshold_time, $tags
notification_path string “notify” URL path for the notification sending plugin
port_override string “8181” Port number where InfluxDB accepts requests

Default notification templates

  • Count: “MAD count alert: Field $field in $table outlier for $threshold_count consecutive points. Tags: $tags”
  • Time: “MAD duration alert: Field $field in $table outlier for $threshold_time. Tags: $tags”

Notification channel parameters

Slack

Parameter Type Required Description
slack_webhook_url string Yes Webhook URL from Slack
slack_headers string No Base64-encoded HTTP headers

Discord

Parameter Type Required Description
discord_webhook_url string Yes Webhook URL from Discord
discord_headers string No Base64-encoded HTTP headers

HTTP

Parameter Type Required Description
http_webhook_url string Yes Custom webhook URL for POST requests
http_headers string No Base64-encoded HTTP headers

SMS/WhatsApp (via Twilio)

Parameter Type Required Description
twilio_sid string Yes Twilio Account SID (or use TWILIO_SID env var)
twilio_token string Yes Twilio Auth Token (or use TWILIO_TOKEN env var)
twilio_from_number string Yes Sender phone number
twilio_to_number string Yes Recipient phone number

TOML configuration

Parameter Type Default Description
config_file_path string none TOML config file path relative to PLUGIN_DIR (required for TOML configuration)

To use a TOML configuration file, set the PLUGIN_DIR environment variable and specify the config_file_path in the trigger arguments. This is in addition to the --plugin-dir flag when starting InfluxDB 3.

Example TOML configuration

https://github.com/influxdata/influxdb3_plugins/blob/main/influxdata/mad_check/mad_anomaly_config_data_writes.toml

For more information on using TOML configuration files, see the Using TOML Configuration Files section in the influxdb3_plugins/README.md.

Examples

Example 1: Basic count-based anomaly detection

Detect when temperature exceeds 2.5 MADs from the median for 5 consecutive points:

# Create trigger for count-based detection
influxdb3 create trigger \
  --database sensors \
  --path "gh:influxdata/mad_check/mad_check_plugin.py" \
  --trigger-spec "all_tables" \
  --trigger-arguments 'measurement=environment,mad_thresholds="temperature:2.5:20:5",senders=slack,slack_webhook_url="$SLACK_WEBHOOK_URL"' \
  temp_anomaly_detector

# Write test data with an anomaly
influxdb3 write \
  --database sensors \
  "environment,room=office temperature=22.1"
influxdb3 write \
  --database sensors \
  "environment,room=office temperature=22.3"
influxdb3 write \
  --database sensors \
  "environment,room=office temperature=45.8"  # Anomaly
# Continue writing anomalous values...

Set SLACK_WEBHOOK_URL to your Slack incoming webhook URL.

Expected output

  • Plugin maintains a 20-point window of recent temperature values
  • Computes median and MAD from this window
  • When temperature exceeds median ± 2.5*MAD for 5 consecutive points, sends Slack notification
  • Notification includes: “MAD count alert: Field temperature in environment outlier for 5 consecutive points. Tags: room=office”

Example 2: Duration-based anomaly detection with multiple fields

Monitor CPU load and memory usage with different thresholds:

# Create trigger with multiple thresholds
influxdb3 create trigger \
  --database monitoring \
  --path "gh:influxdata/mad_check/mad_check_plugin.py" \
  --trigger-spec "all_tables" \
  --trigger-arguments 'measurement=system_metrics,mad_thresholds="cpu_load:3:30:2m@memory_used:2.5:30:5m",senders=slack.discord,slack_webhook_url="$SLACK_WEBHOOK_URL",discord_webhook_url="$DISCORD_WEBHOOK_URL"' \
  system_anomaly_detector

Set SLACK_WEBHOOK_URL and DISCORD_WEBHOOK_URL to your webhook URLs.

Expected output

  • Monitors two fields independently:
    • cpu_load: Alerts when exceeds 3 MADs for 2 minutes
    • memory_used: Alerts when exceeds 2.5 MADs for 5 minutes
  • Sends notifications to both Slack and Discord

Example 3: Anomaly detection with flip suppression

Prevent alert fatigue from rapidly fluctuating values:

# Create trigger with flip suppression
influxdb3 create trigger \
  --database iot \
  --path "gh:influxdata/mad_check/mad_check_plugin.py" \
  --trigger-spec "all_tables" \
  --trigger-arguments 'measurement=sensor_data,mad_thresholds="vibration:2:50:10",state_change_count=3,senders=http,http_webhook_url="$HTTP_WEBHOOK_URL",notification_count_text="Vibration anomaly detected on $table. Field: $field, Tags: $tags"' \
  vibration_monitor

Set HTTP_WEBHOOK_URL to your HTTP webhook endpoint.

Expected output

  • Detects vibration anomalies exceeding 2 MADs for 10 consecutive points
  • If values flip between normal/anomalous more than 3 times in the 50-point window, suppresses notifications
  • Sends custom formatted message to HTTP endpoint

Ready to get started?

Download InfluxDB 3 and have MAD-Based Anomaly Detection running in minutes.

Download InfluxDB 3 Browse All Plugins
Product & Solutions
Developers
Company

548 Market St, PMB 77953
San Francisco, California 94104

© 2026 InfluxData Inc. All Rights Reserved.

Legal Security Cookie Policy Comparison