Data-write
River Anomaly Detection
Most anomaly detectors make you choose between tuning them constantly or accepting that they’ll drift out of relevance. The River Anomaly Detector for InfluxDB 3 skips that tradeoff. It learns incrementally from every observation, adapts its strategy as your data’s character changes, and persists its models across restarts. Create a trigger, point it at a table, and anomalies start appearing in _anomalies.{your_table} - no configuration required.
Configuration
Arguments can be passed inline (space-separated lists) or via TOML config file (native TOML lists). Parameter names are the same in both modes.
| Argument | Required | Default | Description |
|---|---|---|---|
include_fields |
No | ”” | Fields to monitor (space-separated). If set, only these numeric fields are processed |
exclude_fields |
No | ”” | Fields to exclude from detection (space-separated) |
exclude_tables |
No | ”” | Tables to skip when using all_tables trigger (space-separated) |
string_fields |
No | ”” | String columns that are fields, not tags (space-separated). All other strings become tags |
rolling_std_threshold |
No | 5.0 | Standard deviations from the mean to flag as anomaly |
ew_fading_factor |
No | 0.3 | Fading factor for exponentially weighted stats (lower = longer memory) |
combination_mode |
No | any | How to combine detector votes: any (OR), majority, or all (AND) |
enable_seasonal |
No | ”” | Force seasonal detection: true/false to override, empty = auto from profiler |
enable_adwin |
No | ”” | Force ADWIN drift detection: true/false to override, empty = auto from profiler |
detector_mode |
No | ”” | Explicitly set detector mode components (space-separated or TOML list). Overrides profiler’s mode recommendation. |
adwin_delta |
No | 0.002 | ADWIN sensitivity parameter. Lower values = more sensitive to drift |
seasonal_fading_factor |
No | 0.1 | Fading factor for seasonal bucket stats (lower = longer memory) |
seasonal_period |
No | ”” | Seasonal bucket period: hourly (24 buckets, hour-of-day) or weekly (168 buckets, hour-of-week). Empty = auto from profiler, falls back to hourly |
seasonal_threshold |
No | 3.0 | Std devs from seasonal bucket mean to flag as anomaly |
min_seasonal_observations |
No | 5 | Min observations per bucket before contributing to anomaly detection |
min_rolling_observations |
No | 10 | Min total observations per series before the rolling Z-score starts scoring (cold-start guard) |
max_series |
No | 1000 | Max unique series to track (LRU eviction) |
auto_tune |
No | true | Read per-series parameters from _meta.series_profiles (requires auto-profiler plugin) |
tune_refresh_interval |
No | 100 | Observations per series between auto-tune refreshes from _meta.series_profiles |
log_anomalies |
No | true | Log detected anomalies to server log |
checkpoint_interval_seconds |
No | 1800 | Seconds between model checkpoints to the database |
max_checkpoint_age_hours |
No | 24 | Ignore checkpoints older than this when restoring |
min_checkpoint_observations |
No | 10 | Skip checkpointing models with fewer observations than this (avoids persisting cold-start state) |
config_file_path |
No | — | Path to TOML config file. Supports absolute paths or relative paths (resolved via PLUGIN_DIR) |
Ready to get started?
Download InfluxDB 3 and have running in minutes.
