Real-Time Distribution Shape Monitoring With Timeplus

When your devops monitoring dashboards show "average response time: 200ms," you might think everything is fine. But what if 95% of requests complete in 50ms while 5% take 5 seconds? The average is misleading, and by the time you realize there's a problem, your application users have already suffered through poor experiences.

Traditional monitoring focuses on central tendency (mean, median) and spread (standard deviation), but these metrics often miss critical distribution anomalies. This is where skewness and kurtosis come in—two powerful statistical measures that reveal the true shape of your data distribution. And when monitored in real-time streams, they become early warning systems for detecting degradation, attacks, and failures before they escalate.

Understanding Distribution Shape: More Than Just Averages

Skewness: The Asymmetry Indicator

Skewness measures the asymmetry of your distribution around its mean. Think of it as answering: "Are my outliers pulling to the left or right?"

Skewness = 0  → Symmetric (like normal distribution)
Skewness > 0  → Right-skewed (long tail on right)
Skewness < 0  → Left-skewed (long tail on left)

For example: In a healthy web service, response times might show slight positive skew (most requests are fast, occasional slow ones). But if skewness suddenly increases dramatically, you're seeing more slow requests—a sign of degradation.

Kurtosis: The Outlier Detector

Kurtosis measures "tailedness"—how prone your distribution is to extreme values:

Kurtosis = 3  → Mesokurtic (normal distribution baseline)
Kurtosis > 3  → Leptokurtic (heavy tails, more outliers)
Kurtosis < 3  → Platykurtic (light tails, fewer outliers)

For example: A sudden spike in kurtosis for transaction amounts means you're seeing extreme values mixed with normal ones. That's a classic fraud pattern.

The Real-Time Advantage: Why Streaming Matters

Calculating these metrics on historical data is useful for analysis, but monitoring them in real-time streams is more important:

1. Early Warning System: Distribution shape changes often precede obvious metric violations

2. Context-Aware Alerting: A spike in response time means different things with different distribution shapes

3. Automated Response: Trigger autoscaling, circuit breakers, or failovers based on distribution shifts

4. Root Cause Analysis: Understand whether issues are widespread or caused by outliers

Traditional batch analytics forces you to wait minutes or hours to detect these patterns. With streaming analytics, you detect them within seconds.

Timeplus in Action: Computing Distribution Shape on Streams

Timeplus provides native SQL functions for computing skewness and kurtosis on streaming data. Users can continuously monitor tumble or hopping windows, and ask the question what is the latest data distributions for specific metrics in real-time.

Population vs Sample Variants

Use _pop when analyzing complete populations (all logs, all transactions).

Use _samp when working with samples and want unbiased estimates.

Real-World Use Cases

Here are some sample use cases for your reference:

1. Network Traffic Anomaly Detection

The below query detects:

• Sudden shift in skewness: From near-zero to highly positive indicates DDoS attacks or service degradation beginning

• High kurtosis spike: Extreme outliers appearing, potential security incidents or infrastructure failures

2. Financial Transaction Monitoring

Detection patterns:

• Normal merchants: Low skewness (±0.5), normal kurtosis (~3)

• Fraud pattern: Sudden increase in both skewness and kurtosis—large fraudulent transactions mixed with normal ones

• Compromised accounts: Kurtosis spike without skewness change—unusual amounts but no clear direction

3. IoT Sensor Health Monitoring

Predictive maintenance signals:

• Sensor drift: Gradually increasing skewness over time

• Imminent failure: Kurtosis spike often appears hours before complete sensor failure

• Environmental anomalies: Sudden distribution shape changes indicating external factors

4. User Behavior Analytics

Anomaly detection:

• Bot traffic: Extremely low skewness and kurtosis (too uniform to be human)

• Scraping activity: High kurtosis in page views (some sessions with abnormally high page counts)

Testing It Out: Generate Synthetic Distributions

Want to experiment? Here's how to create a test stream with different distribution shapes using Timeplus random stream, please try it out:

This query generates different distribution types and monitors their shapes in real-time, giving you a feel for what different skewness and kurtosis values mean.

Summary

Mean and median tell you where your data's center is. Standard deviation tells you how spread out it is. But skewness and kurtosis tell you the shape of your distribution—and in that shape lies critical information about system health, security threats, and impending failures.

With Timeplus's streaming analytics, you can monitor these distribution characteristics in real-time, turning them from normal statistics into practical operational tools. The next time someone asks "what's the average response time?", you may want to ask: "but what's the skewness and kurtosis?"

Because sometimes, the shape of your data is more important than the numbers themselves.

The sample query I provided today can be run in both open source Timeplus Proton or Timeplus Enterprise.

Try Proton here: https://github.com/timeplus-io/proton 

Try Timeplus Enterprise, free for 30 days: https://timeplus.com/download