Introduction to Runbooks

Riverbed IQ provides a variety of automation capabilities in the form of runbooks. A runbook is a workflow built using Riverbed’s low-code/no-code Runbook Editor, which provides a graphical drag-and-drop method for assembling the workflow. Riverbed IQ supports these types of runbooks:

  • Incident automations — These are runbooks that execute automatically whenever a new incident is created.

  • Incident lifecycle automations — These are runbooks that execute automatically whenever a triggering lifecycle event occurs on an incident.

  • API-driven automations — These are runbooks that are triggered in response to a configured API call.

  • On-demand automations — These are runbooks that are triggered as required (either on-demand, or as scheduled).

  • Subflows — These are runbook “macros:” Chunks of reusable automations that perform frequently-used functions (e.g., open a ticket in an external system), and can also be used to implement integrations with third party systems.

Each runbook automation consists of a single entry point (a Triggering Entity) and a sequence of connected nodes, each performing a specific function. The nodes make up one or more execution paths, with each path being a component of the larger processing logic that is traversed according to the data/context available at execution time.

The set of runbook nodes available for an automation is displayed in the Runbook Editor in a palette at the left side, and depends on the type of automation; for example, incident automations will have a slightly different collection of nodes available than incident lifecycle automations will. Additionally, the collection of runbook nodes displayed in the Runbook Editor may vary depending on how Riverbed IQ is configured, because certain nodes that require a specific data source type will not be available if that data source type is not configured.

Incident Automations

High-level Workflow

Incident automations are runbooks that execute automatically whenever a new incident is created.

New incidents are created whenever the Riverbed IQ analytics pipeline detects anomalous behavior in the key measurements streaming in from data sources. Key measurements can be associated with a variety of observed entities: applications, devices, interfaces, and locations. An anomalous event associated with any of these entity types will be surfaced as a new incident, which will trigger an associated runbook based on that source entity type.

The associated runbook automation is determined based on the Triggering Entity associated with the source entity type: Application, Device, Interface, or Location. The processing logic then executes to perform investigation and analysis based on the available data/context, and the resulting runbook analysis is attached to the incident.

Riverbed IQ provides a number of built-in Incident automation runbooks that provide default templates you can customize, optimize, and tune for your specific requirements. These built-in incident automation runbooks are covered in detail in their own topics:

  • Device Down Issue

  • Interface Performance Issue

  • Multi-Device Down Issue

  • Application Location Performance Issue