Some anomaly detection systems allow users to define custom rules for triggering notifications when computing events match conditions of the rules. For example, a rule may be designed to notify a user when a threshold number of computing events match user-defined conditions within a predetermined time window. Some anomaly detection systems use aggregation techniques that cannot aggregate data based on user-defined subsets of variable columns that exist within an aggregation table. For example, if an aggregation table includes ten (“10”) variable columns, some aggregation techniques cannot perform data aggregation against a user-defined subset of five (“5”) of these columns. These systems generate separate aggregation tables for each custom rule which, unfortunately, increases the amount of computing resources consumed for table management. One reason for the increase in consumed computing resources is that the data size of an aggregation table for a particular rule depends on how many discrete computing events satisfy the conditions of the particular rule. This results in some anomaly detection systems maintaining aggregated data across a large number of relatively sparse aggregation tables—a computationally inefficient manner of storing and/or accessing the aggregated data in comparison to maintaining a single relatively larger table.
Furthermore, some anomaly detection systems are limited to applying rules uniformly across a single predetermined time window that is hard-coded into the system. These systems cannot enable various users to customize some rules to be applied to a first custom time window and others to be applied to a second custom time window of a different length.
It is with respect to these and other considerations that the disclosure made herein is presented.