How the Platform Learns From Your Environment

Riverbed Console learns from your environment in three ways: through the metricsClosed A measurement or data point that is monitored and analyzed to detect anomalies and generate incidents. that stream in from connected data sourcesClosed A product in your network that forwards data to the system. This data can be streaming data used to detect anomalies and generate incidents, or data that can be fetched on demand when runbooks are executed., through the analytics pipeline that models normal behavior and detectsClosed One or more indicators that are correlated and may act as a trigger for incident creation or runbook execution. anomaliesClosed An unexpected event or measurement that does not match the expected model., and through runbooksClosed An automated workflow that executes a series of steps or tasks in response to a triggered event, such as the detection of anomalous behavior generating an incident, a lifecycle event, or a manually executed runbook. that gather context and can be customized with your own processes. This topic summarizes each and explains how long baseline-based learning takes so you can set expectations for when incidentsClosed A collection of one or more related triggers. Relationships that cause triggers to be combined into incidents include application, location, operating system, or a trigger by itself. will start to be generated.

Key measurements (streamed metrics)

Key measurements are the subset of high-value metricsClosed A measurement or data point that is monitored and analyzed to detect anomalies and generate incidents. that stream from NPM (Network Performance Monitoring) data sourcesClosed A product in your network that forwards data to the system. This data can be streaming data used to detect anomalies and generate incidents, or data that can be fetched on demand when runbooks are executed. into Riverbed IQ Ops. They provide observability into the performance of entitiesClosed Things deployed in the customer environment that are needed to run the business, such as applications, devices, interfaces, and locations. in your environment (devices, interfacesClosed An entity type representing network interfaces on devices that are monitored for performance metrics and anomalies., applicationsClosed An entity type representing software applications deployed in the customer environment that are monitored for performance and anomalies., and locationsClosed An entity type representing physical or logical locations in the customer environment where entities are deployed and monitored.). In this way the platform learns which entities exist and what data is available for them. For which metrics are streamed by data source, see Data Sources page.

Analytics pipeline (behavioral learning)

The analytics pipeline applies algorithms to model the behavior of key measurements and continuously learn what is normal for your environment. When behavior deviates enough from that model, the service generates indicatorsClosed An observed change in a specific metric stream that is recognized as being outside of an expected model. Indicators are correlated into triggers, and one or more triggers are grouped into incidents., and Riverbed IQ Ops can create incidentsClosed A collection of one or more related triggers. Relationships that cause triggers to be combined into incidents include application, location, operating system, or a trigger by itself. and run runbooks. For an overview of the algorithms, see Analytics algorithms overview.

Some metrics use a simple model (for example a static threshold) so anomaliesClosed An unexpected event or measurement that does not match the expected model. can be detectedClosed One or more indicators that are correlated and may act as a trigger for incident creation or runbook execution. immediately and processed through to incident generation and runbook execution. Others use a time-series baseline model that must build over time. For those baseline policies:

  • It takes two days to build an initial daily-seasonal time-series baseline model, and 14 days to build an initial weekly-seasonal time-series baseline model.

  • While the models are building, detection and incident generation for that metric will vary.

Alert: For the first two days after a new key measurement is observed, there are no associated indicatorsClosed An observed change in a specific metric stream that is recognized as being outside of an expected model. Indicators are correlated into triggers, and one or more triggers are grouped into incidents. or incidentsClosed A collection of one or more related triggers. Relationships that cause triggers to be combined into incidents include application, location, operating system, or a trigger by itself. for that metric (while the daily-seasonal model is building). After two days, anomalies to the daily-seasonal model are detected and incidents are generated. Over the next 12 days the system builds the 14-day weekly-seasonal model. After 14 days, anomalies to the weekly-seasonal model are also detected and the system continuously learns and evolves the model as behavior changes.

For how to configure baseline parameters and disable or re-enable a baseline policy, see Configure baseline settings.

Runbook automations (context and customization)

Runbooks gather additional data during an automated investigation and build a view of the environment at the time of the event. The platform can reconstruct that context and apply logicClosed A runbook node category that adds conditions to branch the runbook, enabling conditional execution paths based on data and context. to surface actionable insights. Runbooks can also be customized to incorporate your organizational knowledge and tune investigations to your environment. For runbook types and how to work with them, see Runbooks and Runbook Editor.

Related information

Analytics algorithms overview, Configure baseline settings, Data Sources page, Runbooks.