Analytics & Threshold Configuration

To open the configuration page, go to Administration > Analytics & Threshold Configuration in the Navigator pane.

This page lets you view and configure the settings that determine when and how Riverbed IQ recognizes network behavior as indicators. Indicators are the fundamental building blocks of incidents.

A policy controls how the Riverbed IQ data pipeline creates indicators, and, therefore, incidents. Upon installation, IQ has a number of built-in policies in place that are configured according to best practices for monitoring networks and which measurements merit being called to your attention in the form of an incident. What merits being called to your attention is a subjective, user/network-defined decision, so IQ provides the ability to override some policies with user-configurable settings. A single policy applies a rule to a measurement on a network entity.

The Analytics & Threshold Configuration page comprises three sections:

  1. Devices

  2. Interfaces

  3. Applications

Each section has a set of relevant metrics that you can enable/disable. In addition, you can configure thresholds.

Network Devices

  • Device Status [Status Change]

  • Device Uptime [Uptime Reset]

Network Interfaces

  • Interface Status [Status Change]

  • In Packet Drops Rate [Baselining]

  • In Packet Error Rate [Baselining]

  • In Utilization [Baselining]

  • In Utilization [Threshold]

  • Out Packet Drops Rate [Threshold]

  • Out Packet Error Rate [Threshold]

  • Out Utilization [Baselining]

  • Out Utilization [Threshold]

Application + Location (i.e., application “MS-Exchange” in location “Branch Office Denver”)

  • Activity Network Time [Dynamic Threshold]

  • % Failed Connections [Threshold]

  • MOS [Threshold]

  • Page Load Network Time [Dynamic Threshold]

  • % Total Retrans [Threshold]

  • Throughput (VoIP) [Baselining]

  • User Response Time [Baselining]

Aternity Analytics Thresholds (Application Metrics)

IQ can track Aternity health event counts and create incidents when those counts deviate from normal (above baseline).

There is a specialized Runbook path that allows users to perform root-cause-analysis for these incidents. Aternity tracks the counts of health events, by application, location and severity, once per hour. These metrics are streamed to IQ and track the critical and major health event counts, raising Incidents when either the critical or major counts for a particular application and location exceed the expected counts by a significant amount.

Custom Runbooks can be executed to generate insights as to the root cause of the increase.

The policies used to track the new metrics appear in the Analytics & Thresholds Configuration page, in the Applications section:

You can enable or disable these policies, but their baseline thresholds and logic cannot be modified.

Rule Types and Configuration Options

IQ has several types of rule for determining whether a measurement on a network entity is worthy of attention or not. Violations of these rules create indicators, which are then correlated into incidents. In addition to the configuration options listed for each type of rule, there are some options that can be configured on every rule.

Rule Type Description Configuration Options
Change

Detects a change in the measurement, for example the status of an interface going from OK to Down. This is used in interface and device status rules.

OK value — A change back to this value will not create an indicator. For example, an interface with status admin down that goes back to OK will not create an indicator or incident.
Always Increasing

Tracks a measurement and makes sure its value is always increasing. This is used to track Device Uptime measurements.

Not configurable.
Threshold

Looks for measurements above a certain value or below a certain value. For example, indicating on applications with a MOS score of < 3.5, or on interfaces with an inbound utilization of > 80%.

  • Upper Threshold — Create an indicator if the measured value is greater than the upper threshold.

  • Lower Threshold — Create an indicator if the measured value is lower than the lower threshold.
Baseline

Uses machine learning techniques to characterize the measurement being tracked over time. If the measurement deviates excessively from what is considered normal, an indicator is created.

  • Noise Floor — This value is given in the units of the measurement being tracked. The deviation of the measurement from normal must be at least this value in order to produce an indicator. For example, a noise floor value of 500ms of Response Time means there will never be an indicator produced where the absolute difference between the measurement and the expected value is less than 500ms .

  • Upper Percent Change — The multiplier on the expected value of the measurement that determines what the allowed upper value of the measurement is. For example, an upper % change value of 1.2 on an expected value of 10 means that measured values over 10 * 1.2 = 12 will create an indicator.

  • Lower Percent Change — The multiplier on the expected value of the measurement that determines what the allowed lower value of the measurement is. A value of 0.8 on an expected value of 10 would produce an Indicator on measurements below 10 * 0.8 = 8 .

The noise floor and the upper/lower percent change can be applied together. The setting providing the maximum deviation from normal is used to determine whether the rule has been violated.
Dynamic Threshold

Uses machine learning and statistical techniques to characterize the measurement being tracked over time. If the measurement deviates excessively from what is considered normal, an indicator is created.

  • Noise Floor — This value is given in the units of the measurement being tracked. The deviation of the measurement from normal must be at least this value in order to produce an indicator. For example, a noise floor value of 500ms of Response Time means there will never be an indicator produced where the absolute difference between the measurement and the expected value is less than 500ms .

  • Percentile — Only create indicators for measurements that are this percentile (0-100) outside of normal. Higher percentiles mean fewer indicators.

The noise floor and the percentile can be applied together, like the baseline rule; also like the baseline rule, the maximum deviation from normal is used.

Edit a Static Threshold Value

To edit a static threshold value, click Edit to open the Edit Static Threshold dialog box.

Specify the value at which to generate an indicator from this threshold and the number of measurements to use. You can create an indicator based on a single measurement of the metric, for some number of consecutive measurements, or for N out of M measurements. For example, specifying “2 out of 3” means that the rule must violate for 2 of the last 3 measurements for an indicator to be created. N and M default to 1. M has a maximum value of 10. N must be <= M. If M > 1, N must be > 1 also.