How PostHog Usage Anomaly Detector Automates Product Analytics

Your team runs this workflow every week: pull records from Posthog, Slack, cross-reference with a second source, apply judgment, format the output, and route it to 3 different stakeholders. Last Tuesday it took 30–60 minutes per cycle. This Tuesday the person who usually runs it is out sick, and nobody else knows the exact steps. The output varies by who runs it and when.

The core issue is data fragmentation. The information exists, but assembling it into actionable intelligence requires manual effort that does not scale with headcount. PostHog Usage Anomaly Detector closes that gap by automating the product analytics and monitoring workflow from data extraction through structured output delivery.

Four Agents. Daily Anomaly Detection. Silent When Normal.

The PostHog Usage Anomaly Detector pipeline runs 4 agents in sequence. The Fetcher pulls data from Posthog and Slack, and The Formatter delivers the output. Here is what happens at each stage and why it matters.

• The Fetcher (Code-only): Queries PostHog API for daily usage metrics — event counts, unique users, session durations, and feature usage across the baseline window.
• The Assembler (Code-only): Computes statistical baselines using rolling averages and standard deviation for each tracked metric.
• The Analyst (Tier 2 Classification): Performs probable cause analysis for each detected anomaly: correlates with deployment timestamps, feature flag changes, marketing campaigns, and day-of-week patterns.
• The Formatter (Tier 3 Creative): SILENT when no anomalies detected — no Slack noise on normal days.

When the pipeline completes, you get structured output that is ready to act on. The blueprint bundle includes everything needed to deploy, configure, and customize the workflow:

• 29-node main workflow + 3-node scheduler
• Daily usage anomaly detection from PostHog event data
• Statistical baseline comparison with rolling average and standard deviation
• Configurable anomaly threshold (default 2 standard deviations)
• Probable cause analysis correlating anomalies with deployments, flag changes, and campaigns
• Anomaly severity classification: INFO, WARNING, CRITICAL
• Anomaly type classification: organic, deployment-related, external, seasonal
• SILENT mode — zero Slack noise on normal days with no anomalies
• Alert-only notifications when true anomalies are detected
• Notion anomaly log for historical tracking (optional)
• Slack alert with anomaly details, probable causes, and investigation steps
• Configurable: tracked metrics, baseline window, deviation threshold
• Full technical documentation + system prompts

All scoring criteria, output formats, and routing rules are configurable in the system prompts — no workflow JSON edits required. This means PostHog Usage Anomaly Detector adapts to your specific process, terminology, and integration requirements without forking the entire workflow.

Understanding how the pipeline works helps you customize it for your environment and troubleshoot issues when they arise. Here is a step-by-step walkthrough of the PostHog Usage Anomaly Detector execution flow.

Step 1: The Fetcher

Tier: Code-only

The pipeline starts here. Queries PostHog API for daily usage metrics — event counts, unique users, session durations, and feature usage across the baseline window. Pulls both current day and historical baseline data for statistical comparison.

This stage ensures all downstream agents receive clean, validated input. If this step returns incomplete data, every downstream agent works with a degraded picture.

Step 2: The Assembler

Tier: Code-only

Computes statistical baselines using rolling averages and standard deviation for each tracked metric. Identifies anomalies where current values deviate beyond the configurable threshold (default 2 standard deviations). Calculates anomaly magnitude and direction (spike or drop).

Why this step matters: The result is a prioritized action queue, not just a data dump.

Step 3: The Analyst

Tier: Tier 2 Classification

Performs probable cause analysis for each detected anomaly: correlates with deployment timestamps, feature flag changes, marketing campaigns, and day-of-week patterns. Classifies anomaly severity (INFO, WARNING, CRITICAL) and type (organic, deployment-related, external, seasonal).

Every field in the output is structured for the next agent to consume without parsing.

Step 4: The Formatter

Tier: Tier 3 Creative

This is the final deliverable — what lands in your inbox or dashboard. SILENT when no anomalies detected — no Slack noise on normal days. When anomalies are found: Slack alert with anomaly details, probable causes, and recommended investigation steps. Optional Notion log for anomaly history tracking.

The entire pipeline executes without manual intervention. From trigger to output, every decision point follows a documented path. Every execution produces a traceable audit trail.

All nodes have been validated during Independent Test Protocol (ITP) testing on n8n v2.7.5. The error handling matrix in the bundle documents the recovery path for each failure mode.

n8n's batch node only outputs the last batch. If you process 20 records in batches of 5, you get back 5 records — the last batch. Without static data accumulation, multi-record pipelines silently drop 75% of results. Every multi-record blueprint uses explicit accumulation to collect results across all batches.

— ForgeWorkflows Engineering

Daily statistical anomaly detection with probable cause analysis. Silent when metrics are normal — alerts only on true anomalies with severity classification and investigation recommendations.

The primary operating cost for PostHog Usage Anomaly Detector is the per-execution LLM inference cost. Based on Independent Test Protocol (ITP) testing, the measured cost is: Cost per Run: $0.03–$0.10 per run (LLM cost $0 on normal days). This figure includes all API calls across all agents in the pipeline — not just the primary reasoning step, but every classification, scoring, and output generation call.

To put this in context, consider the manual alternative. A skilled team member performing the same work manually costs $50–75/hour for an operations analyst at a fully loaded rate (salary, benefits, tools, overhead). If the manual version of this workflow takes 30–60 minutes per cycle, the per-execution cost in human labor is significant. The blueprint executes the same pipeline for a fraction of that cost, with consistent quality and zero fatigue degradation.

Infrastructure costs are separate from per-execution LLM costs. You will need an n8n instance (self-hosted or cloud) and active accounts for the integrated services. The estimated monthly infrastructure cost is ~$0.03-0.10 per daily run + PostHog subscription., depending on your usage volume and plan tiers.

Quality assurance: Blueprint Quality Standard (BQS) audit result is 12/12 PASS. ITP result is 8/8 records, 14/14 milestones. These are not marketing claims — they are test results from structured inspection protocols that you can review in the product documentation.

All cost and performance figures are ITP-measured — tested against real data fixtures on n8n v2.7.5 in March 2026. See the product page for full test methodology.

6 files.

When you purchase PostHog Usage Anomaly Detector, you receive a complete deployment bundle. This is not a SaaS subscription or a hosted service — it is a set of files that you own and run on your own infrastructure. Here is what is included:

• README.md — Setup and configuration guide
• docs/TDD.md — Technical Design Document
• phud_scheduler_v1_0_0.json — Scheduler workflow
• posthog_usage_anomaly_detector_v1_0_0.json — n8n workflow (main pipeline)
• schemas/assembler_output.json — Assembler output schema
• schemas/fetcher_output.json — Fetcher output schema
• system_prompts/analyst_system_prompt.md — Analyst system prompt
• system_prompts/formatter_system_prompt.md — Formatter system prompt

Start with the README.md. It walks through the deployment process step by step, from importing the workflow JSON into n8n to configuring credentials and running your first test execution. The dependency matrix lists every required service, API key, and estimated cost so you know exactly what you need before you start.

Every file in the bundle is designed to be read, understood, and modified. There is no obfuscated code, no compiled binaries, and no phone-home telemetry. You get the source, you own the source, and you control the execution environment.

PostHog Usage Anomaly Detector is built for Product, Engineering teams that need to automate a specific workflow without building from scratch. If your team matches the following profile, this blueprint is designed for you:

• You operate in a product or engineering function and handle the workflow this blueprint automates on a recurring basis
• You have (or are willing to set up) an n8n instance — self-hosted or cloud
• You have active accounts for the required integrations: PostHog account with event data, Anthropic API key, Slack workspace (Bot Token with chat:write)
• You have API credentials available: Anthropic API, PostHog API Key, Slack (Bot Token, httpHeaderAuth Bearer)
• You are comfortable importing a workflow JSON and configuring API keys (the README guides you, but basic technical comfort is expected)

This is NOT for you if:

• Does not fix anomalies automatically — it detects and diagnoses, humans investigate and resolve
• Does not replace application performance monitoring (APM) — it analyzes product usage patterns, not infrastructure metrics
• Does not work with non-PostHog analytics tools — this is PostHog-specific
• Does not guarantee zero false positives — statistical thresholds are configurable to tune sensitivity
• Does not store historical baselines externally — baselines are computed from PostHog data on each run

Review the dependency matrix and prerequisites before purchasing. If you are unsure whether your environment meets the requirements, contact support@forgeworkflows.com before buying.

Every pipeline has boundaries. These are intentional design decisions, not oversights — understanding them helps you deploy with the right expectations and plan for edge cases in your environment.

Does not fix anomalies automatically — it detects and diagnoses, humans investigate and resolve

This is intentional. We default to human-in-the-loop for actions that carry reputational or financial risk. Once your team has validated output accuracy over 20+ cycles, you can adjust the pipeline to auto-execute — the workflow JSON supports it, but the default is conservative.

Does not replace application performance monitoring (APM) — it analyzes product usage patterns, not infrastructure metrics

We scoped this boundary after ITP testing revealed inconsistent results when the pipeline attempted this. The agents handle what they handle well — extending beyond this scope requires custom prompt engineering specific to your data shape.

Does not work with non-PostHog analytics tools — this is PostHog-specific

This keeps the pipeline focused on a single workflow. Adding this capability would introduce branching logic that varies by organization, and the tradeoff between complexity and reliability was not worth it for a reusable blueprint. Fork the workflow JSON if your use case demands it.

Deployment follows a structured sequence. The PostHog Usage Anomaly Detector bundle is designed for the following tools: n8n, Anthropic API, PostHog, Slack. Here is the recommended deployment path:

1. Step 1: Import workflows and configure credentials. Import both workflow JSON files into n8n (main + scheduler). Configure PostHog API key (httpHeaderAuth), Slack Bot Token (httpHeaderAuth with Bearer prefix, chat:write scope), and Anthropic API key following the README. Optionally configure Notion for anomaly history logging.
2. Step 2: Configure anomaly detection parameters. Set POSTHOG_PROJECT_ID, TRACKED_METRICS (array of event names to monitor), BASELINE_DAYS (default 28), DEVIATION_THRESHOLD (default 2.0 standard deviations), and SLACK_CHANNEL in the scheduler Payload Builder node.
3. Step 3: Activate scheduler and verify. Update the webhook URL in the scheduler to match your main workflow webhook path. Activate both workflows. Send a test POST with _is_itp: true and sample metrics including an artificial anomaly. Verify the alert appears in Slack. On a normal test, verify no message is sent.

Before running the pipeline on live data, execute a manual test run with sample input. This validates that all credentials are configured correctly, all API endpoints are reachable, and the output format matches your expectations. The README includes test data examples for this purpose.

Once the test run passes, you can configure the trigger for production use (scheduled, webhook, or event-driven — depending on the blueprint design). Monitor the first few production runs to confirm the pipeline handles real-world data as expected, then let it run.

For technical background on how ForgeWorkflows blueprints are built and tested, see the Blueprint Quality Standard (BQS) methodology and the Inspection and Test Plan (ITP) framework. These documents describe the quality gates every blueprint passes before listing.

Ready to deploy? View the PostHog Usage Anomaly Detector product page for full specifications, pricing, and purchase.