Analytics Algorithms Overview

The Analytics service in IQ Ops runs a set of algorithms on incoming metricClosed A measurement or data point that is monitored and analyzed to detect anomalies and generate incidents. data. When the conditions defined by an algorithm are met, the service generates indicatorsClosed An observed change in a specific metric stream that is recognized as being outside of an expected model. Indicators are correlated into triggers, and one or more triggers are grouped into incidents.. Those indicators are the building blocks of incidentsClosed A collection of one or more related triggers. Relationships that cause triggers to be combined into incidents include application, location, operating system, or a trigger by itself.. They also drive runbook execution, alerts, and reports. Configuring the algorithms controls when indicators are created and how sensitive detection is for your network.

Algorithms in IQ Ops

Six algorithms are part of the Analytics service.

Two of them are not user-editable except for enabling or disabling each one.

The other four have user-configurable parameters that you can tune for your network.

Non-configurable algorithms

You can only enable or disable these algorithms. Their logic is fixed.

  1. Status Change: Operates on interfaceClosed An entity type representing network interfaces on devices that are monitored for performance metrics and anomalies. and device status values.

  2. Up Time Reset: Operates on device uptime measurements.

Configurable algorithms

The following four algorithms have tunable parameters.

  1. Threshold.

  2. Baseline.

  3. Dynamic Threshold.

  4. Bounded Dynamic Threshold.

What you can configure

Status Change and Up Time Reset: You can enable or disable each algorithm.

Threshold, Baseline, Dynamic Threshold, and Bounded Dynamic Threshold: You can enable or disable each algorithm and adjust parameters (e.g. threshold values, baseline deviation, percentile, or measurement counts).

See the linked algorithm topics and the Analytics & Threshold Configuration page for how to edit these settings.

Where algorithms apply

Policies are organized by entityClosed Things deployed in the customer environment that are needed to run the business, such as applications, devices, interfaces, and locations. type on the Analytics & Threshold Configuration page.

The page has four sections:

  • Network devices

  • Network interfaces

  • Applications

  • Application activities.

Which algorithms appear in each section depends on the metrics available for that entityClosed Things deployed in the customer environment that are needed to run the business, such as applications, devices, interfaces, and locations. type. For the full list of metrics by section, see Analytics configuration sections.

How to work with analytics algorithms

To adjust when indicatorsClosed An observed change in a specific metric stream that is recognized as being outside of an expected model. Indicators are correlated into triggers, and one or more triggers are grouped into incidents. are generated and how algorithms behave:

  1. Open the Analytics & Threshold Configuration page.

  2. Use the four sections (Devices, Interfaces, Applications, Application activities) to find the metric you want to change.

  3. For each metric, enable or disable the policy using the control in the Analytics column.

  4. For the four configurable algorithms (Threshold, Baseline, Dynamic Threshold, Bounded Dynamic Threshold), open the configuration dialog or link for that metric to tune parameters. All four are edited from the Analytics & Threshold Configuration page.

  5. For procedure and field details, see Edit a static threshold value, Configure baseline settings, Configure dynamic threshold settings, and Configure bounded dynamic threshold settings.