cancel
Showing results for
Show  only  | Search instead for
Did you mean:

## Incidents and alerting aggregation question

Organizer

Can someone clarify how the different aggregation settings affect the way an incident triggers?  I can't find definitions of each.  I think I understand avg, but need to clarify the others.  (ie:  How does min versus max affect the rolling alert window?)

Aggregate – The aggregate value that is used for the evaluation timeframe: avg (average), count, last, max (maximum), min (minimum), sum, or first. A measure can also occur multiple times per PurePath.

8 REPLIES 8
Dynatrace Guru

Check out one of my recent Perf Clinic Live Q& session recordings on youtube. At Minute 10 I explain the aggregations and the rolliing time frame: https://www.youtube.com/watch?v=Ysh_HL8HDoA&list=PLqt2rd0eew1bmDn54E2_M2uvbhm_WxY_6&index=11

That describes average, but do you have a definition of the other aggregation methods (count, last, max (maximum), min (minimum), sum, or first)?

If I have an incident that is monitoring used JVM memory with the timeframe of 10 minute and either a min or max aggregation.  Does the memory value have to be above the threshold for the whole 10 minutes or just for one poll cycle?

Dynatrace Guru

The incident will trigger if the "Minimum Value" in that interval is <= your threshold. The minimum is the minimum value of any measure point taken in that time period. So - to answer your question: A SINGLE low value will trigger it as the lowest value within 10 minutes represents the "Min"

Andi

So MIN, MAX, FIRST, and LAST will all trigger on a single occurrence in the above scenario.

How does COUNT and SUM work in that scenario?

John, if you think of it this way the SUM, COUNT, and AVG  functions aggregate; while the MIN, MAX, FIRST, LAST are single points.

This means if you had a 10 minute interval and there were 100 data points captured, your COUNT value will be 100.

If all 100 data points were 2, then your SUM would be 200.

James,  Thanks for the clarification.  That is what I was looking for.

Im a little confused I was under the impression that if you use min or max as values in a incident then in the instance of Min it would take whatever measures were captured in the timeframe and if all of the minimum values were above the threshold then alert is triggered. e.g. cpu utilization for 1 min so DT would gather 6 values and if all 6 were above the minimum value lets say 20% then if all of the values are above 20% then alert is triggered? is that right?

Organizer

If the aim was to alert only if all instances in a timeframe of HTTP Status is above 201 how would you go about doing that?