Introduction to Runbooks

Riverbed IQ Ops provides a variety of automation capabilities in the form of runbooksClosed An automated workflow that executes a series of steps or tasks in response to a triggered event, such as the detection of anomalous behavior generating an incident, a lifecycle event, or a manually executed runbook.. A runbook is a workflow built using Riverbed’s low-code/no-code Runbook Editor, which provides a graphical drag-and-drop method for assembling the workflow. Riverbed IQ Ops supports these types of runbooks:

  • Incident automations: These are runbooks that execute automatically whenever a new incident is created.

  • Incident lifecycle automations: These are runbooks that execute automatically whenever a triggering lifecycle event occurs on an incident.

  • API-driven automations: These are runbooks that are triggered in response to a configured API call.

  • On-demand automations: These are runbooks that are triggered as required (either on-demand, or as scheduled).

  • Subflows: These are runbook "macros": Chunks of reusable automations that perform frequently-used functions (e.g., open a ticket in an external system), and can also be used to implement integrations with third party systems.

Each runbookClosed An automated workflow that executes a series of steps or tasks in response to a triggered event, such as the detection of anomalous behavior generating an incident, a lifecycle event, or a manually executed runbook. automationClosed Automated procedures that are executed as the result of a trigger. Automations consist of a single entry point and a sequence of connected nodes that define the processing logic. consists of a single entry point (a Triggering EntityClosed A runbook node category that starts the runbook with a single trigger, serving as the entry point for runbook execution.) and a sequence of connected nodesClosed Individual components that make up a runbook automation, each performing a specific function such as data queries, transformations, logic, integrations, or visualizations., each performing a specific function. The nodes make up one or more execution paths, with each path being a component of the larger processing logicClosed A runbook node category that adds conditions to branch the runbook, enabling conditional execution paths based on data and context. that is traversed according to the data/context available at execution time.

The set of runbook nodes available for an automation is displayed in the Runbook Editor in a palette at the left side, and depends on the type of automation; for example, incident automations will have a slightly different collection of nodes available than incident lifecycle automations will. Additionally, the collection of runbook nodes displayed in the Runbook Editor may vary depending on how Riverbed IQ Ops is configured, because certain nodes that require a specific data sourceClosed A product in your network that forwards data to the system. This data can be streaming data used to detect anomalies and generate incidents, or data that can be fetched on demand when runbooks are executed. type will not be available if that data source type is not configured.

Incident Automations

High-level Workflow

IncidentClosed A collection of one or more related triggers. Relationships that cause triggers to be combined into incidents include application, location, operating system, or a trigger by itself. automations are runbooks that execute automatically whenever a new incident is created.

New incidents are created whenever the Riverbed IQ Ops analytics pipeline detects anomalousClosed An unexpected event or measurement that does not match the expected model. behavior in the key measurementsClosed A measurement or data point that is monitored and analyzed to detect anomalies and generate incidents. streaming in from data sourcesClosed A product in your network that forwards data to the system. This data can be streaming data used to detect anomalies and generate incidents, or data that can be fetched on demand when runbooks are executed.. Key measurements can be associated with a variety of observed entitiesClosed Things deployed in the customer environment that are needed to run the business, such as applications, devices, interfaces, and locations.: applicationsClosed An entity type representing software applications deployed in the customer environment that are monitored for performance and anomalies., devicesClosed An entity type representing network devices or hardware components deployed in the customer environment that are monitored for performance and anomalies., interfacesClosed An entity type representing network interfaces on devices that are monitored for performance metrics and anomalies., and locationsClosed An entity type representing physical or logical locations in the customer environment where entities are deployed and monitored.. An anomalous event associated with any of these entity types will be surfaced as a new incident, which will triggerClosed A set of one or more indicators that have been correlated based on certain relationships, such as time, metric type, application affected, location, or network device. an associated runbook based on that source entity type.

The associated runbook automation is determined based on the Triggering Entity associated with the source entity type: Application, Device, Interface, or Location. The processing logic then executes to perform investigation and analysis based on the available data/context, and the resulting runbook analysis is attached to the incident.

Riverbed IQ Ops provides a number of built-in Incident automation runbooks that provide default templates you can customize, optimize, and tune for your specific requirements. These built-in incident automation runbooks are covered in detail in their own topics:

  • Device Down Issue

  • Interface Performance Issue

  • Multi-Device Down Issue

  • Application Location Performance Issue