How PostHog Usage Anomaly Detector Automates Product Analytics

Daily usage anomaly detection from PostHog — statistical baseline comparison with probable cause analysis. Silent when normal, alerts only on true anomalies. That single sentence captures a workflow gap that costs product, engineering teams hours every week. The manual process behind what PostHog Usage Anomaly Detector automates is familiar to anyone who has worked in a revenue organization: someone pulls data from Posthog, Slack, copies it into a spreadsheet or CRM, applies a mental checklist, writes a summary, and routes it to the next person in the chain. Repeat for every record. Every day.

Three problems make this unsustainable at scale. First, the process does not scale. As volume grows, the human bottleneck becomes the constraint. Whether it is inbound leads, deal updates, or meeting prep, a person can only process a finite number of records before quality degrades. Second, the process is inconsistent. Different team members apply different criteria, use different formats, and make different judgment calls. There is no single standard of quality, and the output varies from person to person and day to day. Third, the process is slow. By the time a manual review is complete, the window for action may have already closed. Deals move, contacts change roles, and buying signals decay.

These are not theoretical concerns. They are the operational reality for product, engineering teams handling product analytics and monitoring workflows. Every hour spent on manual data processing is an hour not spent on the work that actually moves the needle: building relationships, closing deals, and driving strategy.

This is the gap PostHog Usage Anomaly Detector fills.

Four Agents. Daily Anomaly Detection. Silent When Normal.

PostHog Usage Anomaly Detector is a multiple-node n8n workflow with 4 specialized agents. Each agent handles a distinct phase of the pipeline, and the handoff between agents is deterministic — no ambiguous routing, no dropped records. The blueprint is designed so that each agent does one thing well, and the overall pipeline produces a consistent, auditable output on every run.

Here is what each agent does:

• The Fetcher (Code-only): Queries PostHog API for daily usage metrics — event counts, unique users, session durations, and feature usage across the baseline window.
• The Assembler (Code-only): Computes statistical baselines using rolling averages and standard deviation for each tracked metric.
• The Analyst (Tier 2 Classification): Performs probable cause analysis for each detected anomaly: correlates with deployment timestamps, feature flag changes, marketing campaigns, and day-of-week patterns.
• The Formatter (Tier 3 Creative): SILENT when no anomalies detected — no Slack noise on normal days.

When the pipeline completes, you get structured output that is ready to act on. The blueprint bundle includes everything needed to deploy, configure, and customize the workflow. Specifically, you receive:

• 29-node main workflow + 3-node scheduler
• Daily usage anomaly detection from PostHog event data
• Statistical baseline comparison with rolling average and standard deviation
• Configurable anomaly threshold (default 2 standard deviations)
• Probable cause analysis correlating anomalies with deployments, flag changes, and campaigns
• Anomaly severity classification: INFO, WARNING, CRITICAL
• Anomaly type classification: organic, deployment-related, external, seasonal
• SILENT mode — zero Slack noise on normal days with no anomalies
• Alert-only notifications when true anomalies are detected
• Notion anomaly log for historical tracking (optional)
• Slack alert with anomaly details, probable causes, and investigation steps
• Configurable: tracked metrics, baseline window, deviation threshold
• Full technical documentation + system prompts

Every component is designed to be modified. The agent prompts are plain text files you can edit. The workflow nodes can be rearranged or extended. The scoring criteria, output formats, and routing logic are all exposed as configurable parameters — not buried in application code. This means PostHog Usage Anomaly Detector adapts to your specific process, terminology, and integration requirements without forking the entire workflow.

Understanding how the pipeline works helps you customize it for your environment and troubleshoot issues when they arise. Here is a step-by-step walkthrough of the PostHog Usage Anomaly Detector execution flow.

Step 1: The Fetcher

Tier: Code-only

Queries PostHog API for daily usage metrics — event counts, unique users, session durations, and feature usage across the baseline window. Pulls both current day and historical baseline data for statistical comparison.

This stage is critical because it ensures that downstream agents receive structured, validated input. Each agent in the pipeline trusts the output contract of the previous agent. If The Fetcher identifies an issue — a missing field, a low-confidence score, or an unexpected input format — the pipeline handles it explicitly rather than passing garbage downstream. This is the difference between a prototype and a production-grade workflow: every handoff is defined, every edge case is documented.

Step 2: The Assembler

Tier: Code-only

Computes statistical baselines using rolling averages and standard deviation for each tracked metric. Identifies anomalies where current values deviate beyond the configurable threshold (default 2 standard deviations). Calculates anomaly magnitude and direction (spike or drop).

This stage is critical because it ensures that downstream agents receive structured, validated input. Each agent in the pipeline trusts the output contract of the previous agent. If The Assembler identifies an issue — a missing field, a low-confidence score, or an unexpected input format — the pipeline handles it explicitly rather than passing garbage downstream. This is the difference between a prototype and a production-grade workflow: every handoff is defined, every edge case is documented.

Step 3: The Analyst

Tier: Tier 2 Classification

Performs probable cause analysis for each detected anomaly: correlates with deployment timestamps, feature flag changes, marketing campaigns, and day-of-week patterns. Classifies anomaly severity (INFO, WARNING, CRITICAL) and type (organic, deployment-related, external, seasonal).

This stage is critical because it ensures that downstream agents receive structured, validated input. Each agent in the pipeline trusts the output contract of the previous agent. If The Analyst identifies an issue — a missing field, a low-confidence score, or an unexpected input format — the pipeline handles it explicitly rather than passing garbage downstream. This is the difference between a prototype and a production-grade workflow: every handoff is defined, every edge case is documented.

Step 4: The Formatter

Tier: Tier 3 Creative

SILENT when no anomalies detected — no Slack noise on normal days. When anomalies are found: Slack alert with anomaly details, probable causes, and recommended investigation steps. Optional Notion log for anomaly history tracking.

This stage is critical because it ensures that downstream agents receive structured, validated input. Each agent in the pipeline trusts the output contract of the previous agent. If The Formatter identifies an issue — a missing field, a low-confidence score, or an unexpected input format — the pipeline handles it explicitly rather than passing garbage downstream. This is the difference between a prototype and a production-grade workflow: every handoff is defined, every edge case is documented.

The entire pipeline executes without manual intervention. From trigger to output, every decision point is deterministic: if a condition is met, the next agent fires; if not, the record is handled according to a documented fallback path. There are no silent failures. Every execution produces a traceable audit trail that you can review, export, or feed into your own reporting tools.

This architecture follows the ForgeWorkflows principle of tested, measured, documented automation. Every node in the pipeline has been validated during ITP (Inspection and Test Plan) testing, and the error handling matrix in the bundle documents the recovery path for each failure mode.

Daily statistical anomaly detection with probable cause analysis. Silent when metrics are normal — alerts only on true anomalies with severity classification and investigation recommendations.

The primary operating cost for PostHog Usage Anomaly Detector is the per-execution LLM inference cost. Based on ITP testing, the measured cost is: Cost per Run: $0.03–$0.10 per run (LLM cost $0 on normal days). This figure includes all API calls across all agents in the pipeline — not just the primary reasoning step, but every classification, scoring, and output generation call.

To put this in context, consider the manual alternative. A skilled team member performing the same work manually costs $50–75/hour at a fully loaded rate (salary, benefits, tools, overhead). If the manual version of this workflow takes 20–40 minutes per cycle, that is $17–50 per execution in human labor. The blueprint executes the same pipeline for a fraction of that cost, with consistent quality and zero fatigue degradation.

Infrastructure costs are separate from per-execution LLM costs. You will need an n8n instance (self-hosted or cloud) and active accounts for the integrated services. The estimated monthly infrastructure cost is ~$0.03-0.10 per daily run + PostHog subscription., depending on your usage volume and plan tiers.

Quality assurance: BQS audit result is 12/12 PASS. ITP result is 8/8 records, 14/14 milestones. These are not marketing claims — they are test results from structured inspection protocols that you can review in the product documentation.

6 files.

When you purchase PostHog Usage Anomaly Detector, you receive a complete deployment bundle. This is not a SaaS subscription or a hosted service — it is a set of files that you own and run on your own infrastructure. Here is what is included:

• posthog_usage_anomaly_detector_v1_0_0.json — Main workflow (29 nodes)
• posthog_usage_anomaly_detector_scheduler_v1_0_0.json — Scheduler workflow (3 nodes)
• README.md — 10-minute setup guide
• docs/TDD.md — Technical Design Document
• system_prompts/analyst_system_prompt.md — Analyst prompt reference
• system_prompts/formatter_system_prompt.md — Formatter prompt reference

Start with the README.md. It walks through the deployment process step by step, from importing the workflow JSON into n8n to configuring credentials and running your first test execution. The dependency matrix lists every required service, API key, and estimated cost so you know exactly what you need before you start.

Every file in the bundle is designed to be read, understood, and modified. There is no obfuscated code, no compiled binaries, and no phone-home telemetry. You get the source, you own the source, and you control the execution environment.

PostHog Usage Anomaly Detector is built for Product, Engineering teams that need to automate a specific workflow without building from scratch. If your team matches the following profile, this blueprint is designed for you:

• You operate in a product or engineering function and handle the workflow this blueprint automates on a recurring basis
• You have (or are willing to set up) an n8n instance — self-hosted or cloud
• You have active accounts for the required integrations: PostHog account with event data, Anthropic API key, Slack workspace (Bot Token with chat:write)
• You have API credentials available: Anthropic API, PostHog API Key, Slack (Bot Token, httpHeaderAuth Bearer)
• You are comfortable importing a workflow JSON and configuring API keys (the README guides you, but basic technical comfort is expected)

This is NOT for you if:

• Does not fix anomalies automatically — it detects and diagnoses, humans investigate and resolve
• Does not replace application performance monitoring (APM) — it analyzes product usage patterns, not infrastructure metrics
• Does not work with non-PostHog analytics tools — this is PostHog-specific
• Does not guarantee zero false positives — statistical thresholds are configurable to tune sensitivity
• Does not store historical baselines externally — baselines are computed from PostHog data on each run

Review the dependency matrix and prerequisites before purchasing. If you are unsure whether your environment meets the requirements, contact support@forgeworkflows.com before buying.

Deployment follows a structured sequence. The PostHog Usage Anomaly Detector bundle is designed for the following tools: n8n, Anthropic API, PostHog, Slack. Here is the recommended deployment path:

1. Step 1: Import workflows and configure credentials. Import both workflow JSON files into n8n (main + scheduler). Configure PostHog API key (httpHeaderAuth), Slack Bot Token (httpHeaderAuth with Bearer prefix, chat:write scope), and Anthropic API key following the README. Optionally configure Notion for anomaly history logging.
2. Step 2: Configure anomaly detection parameters. Set POSTHOG_PROJECT_ID, TRACKED_METRICS (array of event names to monitor), BASELINE_DAYS (default 28), DEVIATION_THRESHOLD (default 2.0 standard deviations), and SLACK_CHANNEL in the scheduler Payload Builder node.
3. Step 3: Activate scheduler and verify. Update the webhook URL in the scheduler to match your main workflow webhook path. Activate both workflows. Send a test POST with _is_itp: true and sample metrics including an artificial anomaly. Verify the alert appears in Slack. On a normal test, verify no message is sent.

Before running the pipeline on live data, execute a manual test run with sample input. This validates that all credentials are configured correctly, all API endpoints are reachable, and the output format matches your expectations. The README includes test data examples for this purpose.

Once the test run passes, you can configure the trigger for production use (scheduled, webhook, or event-driven — depending on the blueprint design). Monitor the first few production runs to confirm the pipeline handles real-world data as expected, then let it run.

For technical background on how ForgeWorkflows blueprints are built and tested, see the Blueprint Quality Standard (BQS) methodology and the Inspection and Test Plan (ITP) framework. These documents describe the quality gates every blueprint passes before listing.

Ready to deploy? View the PostHog Usage Anomaly Detector product page for full specifications, pricing, and purchase.