AI Agent Memory: How Streaming Databases Power Agent State
Real-time anomaly detection identifies unusual patterns in streaming data — traffic spikes, sensor failures, fraud attempts, system errors — as they happen, not hours later in a batch report. SQL materialized views in a streaming database can implement statistical anomaly detection without ML infrastructure.
SQL-Based Anomaly Detection
-- Calculate rolling statistics
CREATE MATERIALIZED VIEW metric_stats AS
SELECT metric_name,
AVG(value) as mean_1h,
STDDEV(value) as stddev_1h,
COUNT(*) as samples_1h
FROM metrics WHERE ts > NOW() - INTERVAL '1 hour'
GROUP BY metric_name;
-- Detect anomalies (>3 standard deviations)
CREATE MATERIALIZED VIEW anomalies AS
SELECT m.metric_name, m.value, m.ts, s.mean_1h, s.stddev_1h,
(m.value - s.mean_1h) / NULLIF(s.stddev_1h, 0) as z_score
FROM metrics m JOIN metric_stats s ON m.metric_name = s.metric_name
WHERE ABS((m.value - s.mean_1h) / NULLIF(s.stddev_1h, 0)) > 3;
Anomaly Detection Patterns
| Pattern | SQL Logic | Detects |
| Z-score | (value - mean) / stddev > 3 | Statistical outliers |
| Rate change | current / previous > threshold | Sudden spikes/drops |
| Missing data | NOW() - MAX(ts) > threshold | Dead sensors, broken pipelines |
| Cardinality | COUNT(DISTINCT) spike | New error types, scan attacks |
Frequently Asked Questions
Can SQL replace ML for anomaly detection?
For statistical anomalies (z-score, rate changes, missing data), SQL is sufficient and simpler. For complex, learned patterns (behavioral anomalies, sophisticated fraud), combine SQL features with ML models via UDFs.
