Log Anomaly Detection Reset
In this article
In LM Logs, it is recommended to reset the log anomaly profile for accurate anomaly detection by maintaining a relevant baseline. Without a reset, an anomaly is flagged only once for that device, potentially missing new behaviors or significant log pattern changes. Regular resets improve troubleshooting and keep anomaly detection relevant. A structured reset approach ensures meaningful insights, reduced alert fatigue, and accurate anomaly detection in evolving IT environments.
The following list describes the key benefits of resetting a log anomaly profile:
- Detects new log behaviors and changes in both the sandbox and production environments.
- Validates pipeline alerts for anomalies or “Never-before-seen” conditions.
- Resets logs after a major outage to remove outdated anomalies.
- Transitions smoothly from trial to production with a clean slate.
- Maintains accuracy with user initiated periodic resets (monthly, quarterly, or annually).
- Adapts to new applications, system changes, or infrastructure migrations.
- Ensures compliance during audits by refreshing anomaly baselines to detect new threats.
Understanding Where You Can Reset Anomaly Detection
You can reset anomaly detection at multiple levels within your Resource Tree. This flexibility enables you to apply the reset based on the scope of impact you need—whether it’s a single resource or your entire portal.
You can reset anomaly detection at the following levels:
- Resource level—Resets the anomaly detection model for an individual resource. Useful when a single resource’s behavior has changed significantly.
- Resource group level—Resets the models for all resources within the group. This is helpful when multiple related resources undergo a shared change, such as a deployment.
- Portal level—Resets the anomaly detection models for your entire LogicMonitor portal. Use with caution, as this action impacts all resources and may result in a temporary increase in alert noise as new models are retrained.
Each reset type may require some time to retrain anomaly models and stabilize alert behavior. Choose the appropriate level based on the scale of changes in your monitored environment.
Log Anomaly Detection Reset Limitations
You can reset the anomaly detection feature multiple times. The following limits apply within each 24-hour period:
- Resource or Resource Group Level—You can reset anomalies up to three times within a 24-hour period. The reset interval starts after the third reset.
- Portal Level—You can reset anomalies once every 24 hours. The reset interval starts immediately after the reset is performed.
If you try to reset anomalies during the reset interval, a message displays the time remaining until the next reset.
For example, if you perform a portal level reset at 1:00 PM, the feature is unavailable until 1:00 PM the next day. If you try again at 1:30 PM, the following message is displayed:
“Please try again after 23 hours and 30 minutes.”
Note: These reset limits apply at the portal level, not per user. If multiple users access the same portal, the limits remain shared across all users.
Recommendation: To maintain accurate anomaly detection, consider the following:
- Perform a portal-wide reset at least once per year to reflect current system behavior.
- Temporarily disable “Never-before-seen” alerts during resets to avoid unnecessary alert floods.
- Reset anomaly profiles at the resource or group level as needed for infrastructure changes, testing, or post-outage recovery.
Requirements for Resetting Log Anomaly Detection
To reset the log anomaly profile, you must have Manage Resource permissions on the folder or root directory. This requirement applies to portal, resource, and resource group resets.
Note: If you do not have the required permissions and try to reset log anomalies for a resource or resource group, the Reset Log Anomaly Detection option is displayed in the LogicMonitor user interface, but selecting it results in an error. For portal level resets, if you do not have permissions on the root directory, the Reset Log Anomaly Detection option will not be available.
Resetting Log Anomaly Detection at Resource Level
- In LogicMonitor, navigate to Resource Tree.
- Select the desired resource and select the Logs tab.
- Select the
More menu, then select Reset anomaly detection. A message confirming your selection is displayed.
- Select Reset anomaly detection to confirm reset of the selected resource.
A success message displays confirming that log anomaly detection has been reset.
The system resets anomaly detection within a few seconds, but it may take up to a minute for anomalies to appear.
Resetting Log Anomaly Detection at Resource Group Level
- In LogicMonitor, navigate to Resource Tree and select the desired resource group.
- Select the Logs tab, select the
More menu, and select Reset log anomaly detection.
- In the confirmation dialog box, select Reset anomaly detection.
A success message displays confirming that log anomaly detection has been reset.
The success message may take up to one minute to appear, and anomalies can take up to 15 minutes to trigger, depending on the number of resources in the group.
Resetting Log Anomaly Detection at Portal Level
- In LogicMonitor, navigate to Resource Tree, and select the root folder.
- Select the
More menu, and select Reset log anomaly detection.
- In the confirmation dialog box, select Reset anomaly detection.
A success message displays confirming that log anomaly detection has been reset.
Portal-level anomaly detection resets can take longer. Reset time depends on the number of resources sending logs.