Incident Runbooks

Incident runbooks are runbooksClosed An automated workflow that executes a series of steps or tasks in response to a triggered event, such as the detection of anomalous behavior generating an incident, a lifecycle event, or a manually executed runbook. that execute automatically whenever a new incidentClosed A collection of one or more related triggers. Relationships that cause triggers to be combined into incidents include application, location, operating system, or a trigger by itself. is created.

New incidents are created when the Riverbed IQ Ops analytics pipeline detects anomalousClosed An unexpected event or measurement that does not match the expected model. behavior in key metricsClosed A measurement or data point that is monitored and analyzed to detect anomalies and generate incidents. from data sourcesClosed A product in your network that forwards data to the system. This data can be streaming data used to detect anomalies and generate incidents, or data that can be fetched on demand when runbooks are executed.. Those metrics can be associated with entitiesClosed Things deployed in the customer environment that are needed to run the business, such as applications, devices, interfaces, and locations. such as applicationsClosed An entity type representing software applications deployed in the customer environment that are monitored for performance and anomalies. (including application at a locationClosed An entity type representing physical or logical locations in the customer environment where entities are deployed and monitored. and, separately, a named application activity at a location), devicesClosed An entity type representing network devices or hardware components deployed in the customer environment that are monitored for performance and anomalies., and interfacesClosed An entity type representing network interfaces on devices that are monitored for performance metrics and anomalies.. The platform correlates the resulting indicatorsClosed An observed change in a specific metric stream that is recognized as being outside of an expected model. Indicators are correlated into triggers, and one or more triggers are grouped into incidents. into a detectionClosed One or more indicators that are correlated and may act as a trigger for incident creation or runbook execution. and surfaces a new incidentClosed A collection of one or more related triggers. Relationships that cause triggers to be combined into incidents include application, location, operating system, or a trigger by itself., which triggersClosed A set of one or more indicators that have been correlated based on certain relationships, such as time, metric type, application affected, location, or network device. an associated runbook based on that source entity type.

The runbook that runs is determined by the Triggering EntityClosed A runbook node category that starts the runbook with a single trigger, serving as the entry point for runbook execution. for the source entity type, for example Application[s]/Location[s], Application/Activity/Location, Device, Interface, or Location. The runbook runs its processing logicClosed A runbook node category that adds conditions to branch the runbook, enabling conditional execution paths based on data and context. using the available data and context, and the resulting runbook analysis is attached to the incident. For incidents raised on application activity at a location (including when Activity Response Time generates indicators in analytics), the entry trigger is Application/Activity/Location. You map and enable that automation on the Automation Management page like other incident triggers, and you can open the runbook in the Runbook Editor to customize it.

Riverbed IQ Ops provides built-in incident runbooks as default templates you can customize. For details, see the topics for the built-in incident runbooks (e.g. Device Down Issue, Interface Performance Issue, Multi-Device Down Issue, Application Location Performance Issue).