description: > Identify anomalous sessions using Agent Monitor data — cost outliers from the pricing engine, token anomalies (cache miss spikes, compaction baseline surges), unusual event type ratios (PreToolUse/PostToolUse gaps, APIError clusters), behavioral deviations from workflow intelligence (complexity score outliers, error propagation anomalies), and sessions with abnormal metadata (extreme turn_count, high thinking_blocks, zero turn_duration).

Anomaly Alert

Detect anomalous sessions in Claude Code Agent Monitor data.

Input

The user provides: $ARGUMENTS

This may be:

• "all" or empty (default: check all anomaly types)
• "cost" for cost anomalies only
• "duration" for duration anomalies only
• "errors" for error rate anomalies only
• A sensitivity level: "strict" (1σ), "normal" (2σ), "relaxed" (3σ)

Procedure

1. Fetch baseline data from http://localhost:4820:

   • GET /api/sessions?limit=500 — historical sessions for baseline
   • GET /api/analytics — aggregated metrics
   • GET /api/pricing/cost — cost data per session

2. Compute baselines for each metric:

   • Mean, median, standard deviation
   • P25, P75, P90, P95, P99 percentiles
   • Interquartile range (IQR) for robust outlier detection

3. Detect anomalies using statistical thresholds:

   Cost Anomalies

   • Sessions costing >2σ above mean
   • Single sessions exceeding daily average
   • Sudden cost spikes (session-over-session increase >200%)

   Duration Anomalies

   • Sessions lasting >2σ above mean duration
   • Extremely short sessions (<1 minute) that still incur cost
   • Sessions with unusual active-vs-idle ratios

   Error Rate Anomalies

   • Sessions with error rates >2σ above baseline
   • New error types not seen in previous sessions
   • Sessions with >3 consecutive tool failures

   Behavioral Anomalies

   • Unusual tool combinations not seen before
   • Sessions with abnormally high compaction counts
   • Model switches mid-session (if unexpected)
   • Sessions with no tool usage (pure conversation)

   Token Anomalies

   • Input/output token ratio far from historical norm
   • Cache miss rate significantly higher than average
   • Token usage growing faster than session count

4. Classify each anomaly:

   • 🔴 Critical: Likely indicates a real problem requiring attention
   • 🟡 Warning: Unusual but may be expected for certain tasks
   • 🔵 Info: Interesting deviation worth noting

Output Format

Present as an Anomaly Report:

═══════════════════════════════════════════════
  ANOMALY DETECTION REPORT
  Analyzed: N sessions | Baseline: last 30 days
  Anomalies found: N (🔴 N critical, 🟡 N warn, 🔵 N info)
═══════════════════════════════════════════════

For each anomaly:

• Session ID and timestamp
• Anomaly type and severity
• Observed value vs expected range
• Possible explanation
• Recommended action (if any)