Analytics & Threshold Configuration page

Click Administration > Analytics & Threshold Configuration in the Navigator pane to display the Analytics & Threshold Configuration page. This page enables you to view and configure the settings that control when and how Riverbed IQ recognizes network behavior that constitutes an indicator, the fundamental building block of an incident.

A policy controls how the Riverbed IQ data pipeline creates indicators, and, therefore, incidents. Upon installation, IQ has a number of built-in policies in place that are configured according to best practices for monitoring networks and which measurements merit being called to your attention in the form of an incident. What merits being called to your attention is a subjective, user/network-defined decision, so IQ provides the ability to override some policies with user-configurable settings. A single policy applies a rule to a measurement on a network entity.

The Analytics & Threshold Configuration page comprises three sections: Devices, Interfaces, and Applications. In each section, there is a set of relevant metrics that can be enabled/disabled, and, in the case of thresholds, configured:

Network Devices

  • Device Status [Status Change]

  • Device Uptime [Uptime Reset]

Network Interfaces

  • Interface Status [Status Change]

  • In Packet Drops Rate [Baselining]

  • In Packet Error Rate [Baselining]

  • In Utilization [Baselining]

  • In Utilization [Threshold]

  • Out Packet Drops Rate [Threshold]

  • Out Packet Error Rate [Threshold]

  • Out Utilization [Baselining]

  • Out Utilization [Threshold]

Application + Location (i.e., application “MS-Exchange” in location “Branch Office Denver”)

  • Activity Network Time [Dynamic Threshold]

  • % Failed Connections [Threshold]

  • MOS [Threshold]

  • Page Load Network Time [Dynamic Threshold]

  • % Total Retrans [Threshold]

  • Throughput (VoIP) [Baselining]

  • User Response Time [Baselining]

IQ has several types of rule for determining whether a measurement on a network entity is worthy of attention or not. Violations of these rules create indicators, which are then correlated into incidents. In addition to the configuration options listed for each type of rule, there are some options that can be configured on every rule.

 

Rule Type Description Configuration Options
Change

Detects a change in the measurement, for example the status of an interface going from “OK” to “Down”. This is used in interface and device status rules.

OK value — A change back to this value will not create an indicator. For example, an interface with status “admin down” that goes back to “OK” will not create an indicator or incident.
Always Increasing

Tracks a measurement and makes sure its value is always increasing. This is used to track Device Uptime measurements.

Not configurable.
Threshold

This looks for measurements above a certain value or below a certain value. For example, indicating on applications with a MOS score of < 3.5, or on interfaces with an inbound utilization of > 80%.

  • Upper Threshold — Create an indicator if the measured value is greater than the upper threshold.

  • Lower Threshold — Create an indicator if the measured value is lower than the lower threshold.
Baseline

This uses machine learning techniques to characterize the measurement being tracked over time. If the measurement deviates excessively from what is considered normal, an indicator is created.

  • Noise Floor — This value is given in the units of the measurement being tracked. The deviation of the measurement from normal must be at least this value in order to produce an indicator. For example, a noise floor value of 500ms of Response Time means there will never be an indicator produced where the absolute difference between the measurement and the expected value is less than 500ms .

  • Upper Percent Change — The multiplier on the expected value of the measurement that determines what the allowed upper value of the measurement is. For example, an upper % change value of 1.2 on an expected value of 10 means that measured values over 10 * 1.2 = 12 will create an indicator.

  • Lower Percent Change — The multiplier on the expected value of the measurement that determines what the allowed lower value of the measurement is. A value of 0.8 on an expected value of 10 would produce an Indicator on measurements below 10 * 0.8 = 8 .

The noise floor and the upper/lower % change can be applied together. The setting providing the maximum deviation from normal is used to determine whether the rule has been violated.
Dynamic Threshold

This uses machine learning and statistical techniques to characterize the measurement being tracked over time. If the measurement deviates excessively from what is considered normal, an indicator is created.

  • Noise Floor — This value is given in the units of the measurement being tracked. The deviation of the measurement from normal must be at least this value in order to produce an indicator. For example, a noise floor value of 500ms of Response Time means there will never be an indicator produced where the absolute difference between the measurement and the expected value is less than 500ms .

  • Percentile — Only create indicators for measurements that are this percentile (0-100) outside of normal. Higher percentiles mean fewer indicators.

The noise floor and the percentile can be applied together, like the baseline rule; also like the baseline rule, the maxiumum deviation from normal is used.

Editing a Static Threshold Value

To edit a static threshold value, click Edit to open the Edit Static Threshold dialog box.

Specify the value at which to generate an indicator from this threshold and the number of measurements to use. You can create an indicator based on a single measurement of the metric, for some number of consecutive measurements, or for N out of M measurements. For example, specifying “2 out of 3” means that the rule must violate for 2 of the last 3 measurements for an indicator to be created. N and M default to 1. M has a maximum value of 10. N must be <= M. If M > 1, N must be > 1 also.