cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Alert for operation count lower than normal?

sxsaxena
Participant

Occasionally, we have some datacenter changes that cause DCRUM to lose visibility. Sometimes it is firewall changes, other times it is an updated security cert.


What would be the correct way to set up an operation count-based measure that can let me know when the count of operations I am currently getting is lower than some baseline count? I'd like this alert to be triggered based on software service. I think the relative baseline (as opposed to absolute) is the way to go here, but I'm confused as to how I can avoid false positives.

3 REPLIES 3

BabarQayyum
Leader

Hello Shrimant,

I guess you can try the following to avoid the false positive.

Auxiliary Metric (e.g. Server TCP data packets) are less than 100 to make sure both conditions are going to be fulfill before triggering the message.

Propagation settings should be more than 3 to not send the alert on the first drop.

When configuring an alert using a baseline condition, remember that baseline values used by this condition type may in some situations not be calculated, as is the case during the first 48 hours after you install DC RUM. To prevent an alert definition from being activated before the baselines are calculated, you need to enable Delayed processing.

Regards,

Babar

sxsaxena
Participant

would a relative baseline be better than absolute in this case?

BabarQayyum
Leader

Hello Shrimant,

I guess first you can check the results with the 'Absolute' and then 'Relative' to finalize your 'Baseline' condition.

Below is the description and formulas about 'Absolute' and 'Relative' for better understanding.

Absolute


  • If no baseline condition is specified, the increments in the measured metric are compared to the value specified in the value condition. That is, if the measured metric assumed the value of A in one monitoring interval and then value B in the next one, the value of B - A will be taken.
  • If a baseline condition is specified, the alert calculates a percentage increase in the actual absolute increment of the metric versus absolute baseline increment. This means that for two subsequent monitoring intervals, we measure the absolute increment in the value of the metric and subtract from it an increment calculated from comparing baseline value for the same monitoring intervals:

    (B - A) - (baseline_2 - baseline_1)

    We then take the resulting value relative to the differences in baselines, that is we divide it by the absolute (positive) value of (baseline_2 - baseline_1) and multiply it by 100%:

    (((B - A) - (baseline_2 - baseline_1)) / |baseline_2 - baseline_1|) * 100%

    Where the pipe symbol (“|”) denotes extraction of an absolute (that is always positive) value from a number.

    The result is compared with the value the user entered in the baseline threshold field.

Relative


  • If no baseline condition is specified, the relative increments in the measured metric are compared to the value specified in the threshold field. That is, if the measured metric assumed the value of A in one monitoring interval and then value B in the next one, the value that would be taken is:

    ((B - A)/A) * 100%

  • If a baseline condition is specified, the alert calculates a percentage increase in the actual relative increment of the metric versus relative baseline increment. The calculations are similar to those performed for the absolute mode, except that all differences in metric values or in baseline values are relative:

    (B - A)/A and (baseline_2 - baseline_1)/baseline_1

    This gives the following formula:

    (((B - A)/A - (baseline_2 - baseline_1)/baseline_1) / |baseline_2 -baseline_1|/baseline_1) * 100%

    The result is compared with the value the user entered in the baseline threshold field.

Regards,

Babar