cpu.idlemetric on a system and have the observations plotted below. In this case, the time series isn’t particularly interesting. The values vary a reasonable amount, but overall it’s fairly stable and most values hover around 130 or so. From a time series analysis perspective, this is considered to be fairly stationary. If you tried to predict the next value, your best guess would probably be around 130. It’s impossible to be exactly right with a prediction like this, but picking a value like 130 would appear to be the least incorrect.
SmoothingExponential smoothing refers to the use of an exponentially weighted moving average (EWMA) to “smooth” a time series. If you have some time series xt, you can define a new time series st that is a smoothed version of xt.
Stationarity, Trend, and SeasonalityThere are many ways to characterize a time series, but we’ll focus on three simple, closely related ones: stationarity, trend, and seasonality. Stationarity refers to how stable the values of a time series are. For simplicity, let’s just say we consider a time series to be stationary if it has a constant mean. A stationary time series won't have any kind of increasing or decreasing pattern, and its points will generally hover around the same value, the mean. Because of this characteristic, a simple EWMA, which estimates the mean, is so helpful for forecasts. Trend refers to a long-term movement of a time series in a particular direction. With linear trend, time series points will approximately follow a line. It’s also possible to have higher order trends, such as quadratic trend where points follow a parabola. Seasonality refers to a periodic pattern. A great example of a seasonal time series is the temperature in a particular location. A time series can have multiple seasons with different periods The Keeling Curve, which plots the measured concentration of CO2 in the atmosphere, has a positive trend and seasonality. You may notice something interesting going on with the smoothed series with the lower weight. It tends to lag behind our original data because more recent values have lower influence. This is especially noticeable with the seasonal time series. This is important! Because you’re using the smoothed values to forecast, any significant deviation in the smoothed values will throw off your prediction. If you notice your time series isn't stationary, you’ll have to find something other than a simple EWMA to do your forecasting.
Double and Triple Exponential SmoothingIn the late 1950s, Charles Holt recognized the issue with the simple EWMA model with time series with trend. He modified the simple exponential smoothing model to account for a linear trend. This is known as Holt’s exponential smoothing. This model is a little more complicated. It consists of two EWMAs: one for the smoothed values of xt, and another for its slope. The terms level and trend are also used.
SummaryReal-time anomaly detection is really a forecasting problem, since you can’t know what to expect in the present unless you use the past to forecast. Forecasting time series data can get really sophisticated and complicated, but a lot of simple and efficient techniques like an EWMA can give most of the benefit with a small fraction of the cost, effort, and complexity. More complex techniques can be good for very specific cases, but come at the cost of losing generality and requiring a lot more tweaking and parameter selection, which can be surprisingly delicate to do well.