Built-In Runbooks Overview

Riverbed IQ Ops provides a variety of automation capabilities in the form of Runbooks An automated workflow that executes a series of steps or tasks in response to a triggered event, such as the detection of anomalous behavior generating an incident, a lifecycle event, or a manually executed runbook.. A Runbook is a workflow built using Riverbed’s low-code/no-code designer which uses graphical drag-and-drop to build the workflow. IQ Ops supports the following types of Runbooks:

• Incident A collection of one or more related triggers. Relationships that cause triggers to be combined into incidents include application, location, operating system, or a trigger by itself. Automations Automated procedures that are executed as the result of a trigger. Automations consist of a single entry point and a sequence of connected nodes that define the processing logic.

• Incident Lifecycle Automations

• API-driven Automations

• On-Demand Automations

• Subflows A reusable automation chunk that performs frequently used functions, such as opening a ticket in an external system, and can be used to implement integrations with third-party systems.

The following list describes these automations:

• Incident Automations are Runbooks that execute automatically whenever a new Incident is created.

• Incident Lifecycle Automations are Runbooks that execute automatically whenever a triggering Lifecycle event occurs on an incident.

• API-driven Automations are Runbooks that are triggered in response to a configured-API call.

• On-Demand Automations are Runbooks that are triggered as required (either on-demand, or as scheduled).

• Subflows are Runbook “macros”: chunks of reusable automations that perform frequently used functions (e.g. open a ticket in an external system), and can also be used to implement integrations with 3rd party systems.

Each Runbook automation consists of a single Entry-point (i.e. Triggering A set of one or more indicators that have been correlated based on certain relationships, such as time, metric type, application affected, location, or network device. Entity Things deployed in the customer environment that are needed to run the business, such as applications, devices, interfaces, and locations.), and a set of interconnected nodes Individual components that make up a runbook automation, each performing a specific function such as data queries, transformations, logic, integrations, or visualizations. (each performing a specific function) comprised of: one or more paths of execution (each path a smaller part of the broader Processing-logic), that is traversed according to the data/context available at execution time.

The collection of Runbook Nodes available for an automation are displayed in the IQ Ops UI Runbook Editor page and depend upon the type of automation (e.g. Incident Automations will have a slightly different collection of available Runbook Nodes than Incident Lifecycle Automations). Additionally, the collection of Runbook Nodes displayed in the IQ Ops UI Runbook Editor page may vary depending upon IQ Ops configuration (e.g. certain nodes that require a specific Data Source Type will not be rendered for systems that do not have that Data Source Type configured).

Incident Automations High-level Workflow

Incident Automations are Runbooks that execute automatically whenever a new Incident is created.

New Incidents are created whenever the IQ Ops Analytics Pipeline detects anomalous behavior in the Key Measurements A measurement or data point that is monitored and analyzed to detect anomalies and generate incidents. streaming-in from Data Sources A product in your network that forwards data to the system. This data can be streaming data used to detect anomalies and generate incidents, or data that can be fetched on demand when runbooks are executed.. Key Measurements can be associated with a variety of observed Entities: Interfaces An entity type representing network interfaces on devices that are monitored for performance metrics and anomalies., Devices An entity type representing network devices or hardware components deployed in the customer environment that are monitored for performance and anomalies., Applications An entity type representing software applications deployed in the customer environment that are monitored for performance and anomalies., and Locations An entity type representing physical or logical locations in the customer environment where entities are deployed and monitored.. An anomalous event associated with any of these Entity-types will be surfaced as a new Incident, which will trigger an associated Runbook (based on the source Entity-type).

The associated Runbook automation is selected based on the “Entry-point” associated with the source Entity-type (i.e. Triggering Entity: {Interface, Devices, Application, Location}), then the “Processing-logic” will execute to perform analysis/investigation based on available data/context, and the resulting Runbook Output/Analysis attached to the incident.

Riverbed IQ Ops provides a number of “out-of-the-box” Incident Automation Runbooks that provide a default template upon which Users can customize, optimize, and tune to meet their specific requirements. The following list of “out-of-the-box” Incident Automation Runbooks are explored in the following sections:

• Device Down Issue

• Multi-Device Down Issue