SevOne logo
You must be logged into the NMS to search.

Table of Contents (Start)

Create and Edit Thresholds

The Threshold Editor enables you to create and edit thresholds.

To access the Threshold Editor from the navigation bar, click the Events menu, select Configuration, and then select Threshold Browser to display the Threshold Browser. On the Threshold Browser, click New Threshold at the top of the page or click a threshold name in the list.

images/download/attachments/64686594/createandeditthresholds.png

The Threshold Editor enables you to define a threshold. When you finish the threshold definition, click one of the following buttons.

  • When you edit a threshold, click Save to save the threshold changes.

  • Click Save as New to save the threshold as a new threshold.

Define Threshold General Settings

The General Settings tab enables you to define the basic threshold settings.

  1. Select the Enable check box to make the threshold active. Disabled thresholds appear in light text on the Threshold Browser.

  2. When you edit a threshold that was created from a policy, click the Created By link to display the Policy Editor where you can edit the policy.

  3. Click the Technology Type drop-down.

    • Select Flow to create a threshold that triggers based on flow data.

    • Select Metric to create a threshold that triggers based on any data except flow data.

  4. In the Name field, enter a unique name for the threshold.

  5. Perform the following steps for a new threshold. You cannot edit these fields after you save the threshold.

    • For a Technology Type Flow threshold.

      1. Click the Device drop-down and select the device that contains the interface to trigger the threshold.

      2. Click the Interface drop-down and select the interface to trigger the threshold.

    • For a Technology Type Metric threshold.

      1. Click the Device Group drop-down and select the device group/device type in which the device is a member.

      2. Click the Device drop-down and select the device to trigger the threshold.

  6. Click the Severity drop-down and select the severity to display on the Alerts page when the threshold triggers an alert.

  7. If the threshold does not inherit a schedule from its parent policy, click the Schedule Edit link to display a pop-up that enables you define the times and/or dates for the threshold to run. See the Schedule section below.

  8. Click the Email Edit link to display a pop-up that enables you to define email options. You can email the alerts the threshold generates to any valid email address. See the Email section below.

  9. Click the Trap Destinations Edit link to display a pop-up that enables you to select where to send traps from the threshold.

    • Select the System Default check box to send traps to the trap destinations you designate as system defaults on the Trap Destination Associations page.

    • Select the Device Default check box to send traps to the trap destinations you define for the device on the Edit Device page.

    • Select the Threshold Specific check box above the list of trap destinations and then select the check box for each specific destination to which the threshold is to send traps.

  10. Select the Append Condition Message check box to append the custom messages you define for each condition to the trigger message you define on the Trigger Conditions tab or to the clear message you define on the Clear Conditions tab.

    • You define the Trigger Message for all trigger conditions on the Trigger Conditions tab. See the Trigger Condition section below.

    • You define the Clear Message for all clear conditions on the Clear Conditions tab. See the Clear Condition section below.

    • You define a Custom Message for each individual trigger condition and for each individual clear condition when you define each individual condition. See the Create and Edit Conditions section below.

  11. In the Description field, enter the description of the threshold. This appears only when you define the threshold.

  12. For Technology Type Flow thresholds, click the Aggregated View drop-down and select the FlowFalcon view to use in FlowFalcon reports in which to display the data that triggered the threshold.

  13. For Technology Type Flow thresholds, click the Filter drop-down and select the filter to use in the FlowFalcon report associated with the threshold.

  14. For Technology Type Flow thresholds, click the Direction drop-down and select the flow direction to trigger the threshold.

Schedule

The alert engine runs every three minutes to retest all thresholds. The Schedule pop-up enables you to define specific time spans for when you want to enable or disable the alert engine to test the threshold. If you do not define a schedule, the alert engine tests the threshold every three minutes until you disable the threshold.

The Periodic tab enables you to define a regularly occurring time span to either enable or disable the threshold.

  1. Select one of the following options.

    • Select Disable During This Time to disable the threshold for the days and/or times you define on the Periodic tab.

    • Select Enable During This Time to enable the threshold for the days and/or times you define on the Periodic tab.

  2. Select the check box next to each day for the threshold to be enabled/disabled (dependent on the option you select in the previous step).

  3. In the Start Time fields, enter the start time.

  4. In the End Time fields, enter the end time.

  5. Click the Time Zone drop-down and select a time zone.

  6. Click Add to add the periodic schedule to the list.

  7. Repeat the steps on the Periodic tab to add additional schedules. Schedules are checked in the sequence in which they appear in the list and the first applicable schedule is applied to the threshold. If no schedule is applicable, the threshold is enabled by default.

The Schedule tab enables you to schedule a specific time span to either enable or disable the threshold.

  1. Select one of the following options.

    • Select Disable During This Time to disable the threshold for the time span you define on the Schedule tab.

    • Select Enable During This Time to enable the threshold for the time span you define on the Schedule tab.

  2. Click in the Start Date field to display a calendar. Use the calendar to select the date to start the time span to enable/disable the threshold (dependent on the option you select in the previous step).

  3. Enter the start time.

  4. Click in the End Date field to display a calendar. Use the calendar to select the date to end the time span to enable/disable the threshold.

  5. Enter the end time.

  6. Click the Time Zone drop-down and select a time zone.

  7. Click Add to add the schedule to the list.

  8. Repeat the steps on the Schedule tab to add additional schedules. Schedules are checked in the sequence in which they appear in the list and the first applicable schedule is applied to the threshold. If no schedule is applicable, the threshold is enabled by default.

  9. Click Close to save the schedule settings.

Email

The Email pop-up enables you to define who should receive emails when the threshold triggers an alert. You can email threshold alerts to valid email addresses and to the users and user roles you define in SevOne NMS. There is no limit to the number of email recipients.

Perform the following steps in the Addresses section.

  1. In the left Addresses field, enter the email address for a recipient.

  2. Move the address to the right Addresses field.

  3. Repeat the previous steps to add additional email addresses. Email addresses that appear in the right field receive an email when the threshold triggers an alert.

Perform the following steps in the Users section.

  1. In the left Users field, select the user to receive alert emails (use the Ctrl or Shift keys to multi-select).

  2. Move the users you select to the right Users field. Users that appear in the right Users field receive an email when the threshold triggers an alert.

Click the Roles drop-down and select the check box for each user role whose members are to receive an email when the threshold triggers an alert.

Select one of the following options.

  • Select Just Once to only send one email when the threshold triggers the first occurrence of an alert. All subsequent occurrences (until the alert is cleared) are not emailed. This prevents an email from being sent every three minutes when a device is down.

  • Select One Time Every, enter a number in the text field, then click the drop-down and select minutes, hours, or days to send multiple emails when the threshold triggers alerts.

Click Close to save the email settings.

Trigger Conditions

The Trigger Conditions tab enables you to define the conditions for which to trigger the threshold and to define the trigger message. The information you enter on the General Settings tab displays in the upper section on the tab.

Should you choose to define a trigger condition, and then you choose to define a clear condition that is contradictory, the trigger condition takes precedence.

  • You define a trigger condition to trigger an alert when something is greater than 10.

  • You define a clear condition to clear the alert when the same thing is greater than 20.

If the thing is 25, the alert will trigger and the alert will not be cleared.

images/download/attachments/64686594/thresholdTriggerConditions.png

  1. In the Trigger Message field, enter the message to display for the threshold on the Alerts page. On the Alerts page the trigger message appears as Threshold triggered - <trigger message you enter here>. The custom message for each trigger condition appends to this trigger message when you select the Append Condition Message check box on the General tab and you enter a custom message for each trigger condition. See the Create and Edit Conditions section below. Trigger messages support a variety of variables that allow you to customize your alerts to be as detailed as possible. The following variables are supported for Trigger Messages:

    • $deviceName displays the name of the device that triggered the condition.

    • $deviceAltName displays the alternate name of the triggered device.

    • $deviceIp displays the IP address of the triggered device.

    • $deviceId displays the triggered device's ID.

    • $thresholdId displays the ID of the threshold triggered.

    • $thresholdName displays the name of the threshold that was triggered.

    • $alertState displays the severity status of the policy occurring. For example, Emergency or Debug.

    • $alertType displays the technology type of the policy occurring.

    Custom message variables are not available for Flow thresholds.

  2. For Technology Type Flow thresholds, in the Duration field, enter the length of time for the condition to exist before the trigger condition triggers the threshold. The value you enter here is multiplied by the length of time you enter as the Write Interval on the Cluster Manager > Cluster Settings tab.

    The Write Interval displays next to this field. The default write interval is 60 seconds. If you want the trigger condition to exist for five minutes before the threshold is triggered, enter 5 in the duration field. If the write interval has been changed, you will need to do some math here.

  3. Click images/download/attachments/64686594/actionold.png in the Conditions section to manage the trigger conditions.

    • Select Create New to add a new condition to the threshold. See the Create and Edit Conditions section below.

    • Select the check box for each condition to delete, then select Delete Selected to delete the conditions you select.

    • Select the check box for each condition to add to a rule, then select Add to Rule <n> to add the conditions you select to a specific rule.

  4. Click images/download/attachments/64686594/editpencil.png in the Edit column to display the Edit Conditions pop-up. See the Create and Edit Conditions section below.

  5. Click images/download/attachments/64686594/actionold.png in the Rules section to manage the trigger condition rules.

    • Select Create New to add a new rule to the condition. Rule numbers are sequential. Each condition for a rule is treated as an AND Boolean operator. Add a new rule to create an OR Boolean operator. See the Boolean Operators section below.

    • Select the check box for each rule to delete, then select Delete Selected to delete the rules you select.

  6. Click images/download/attachments/64686594/delete.png in the Conditions column to remove a condition from a rule.

    If you add a condition when no rule exists, the condition is assigned to Rule 1 using the AND Boolean operator.

  7. Although Webhooks are visible, they are disabled and cannot be configured when adding a threshold. At present, Webhooks can only be configured on Policies.

Clear Conditions

The Clear Conditions tab enables you to define the conditions to clear the alert. If you do not define a clear condition, alerts triggered by the trigger condition continue to display on the Alerts page until you manually acknowledge the alert. The information you enter on the General Settings tab displays in the upper section on the tab.

  1. In the Clear Message field, enter the message to display for the threshold on the Alert Archives. On the Alert Archives, the clear message appears as Threshold cleared - <clear message you enter here>. The custom message for each clear condition appends to this clear message when you select the Append Condition Message check box on the General tab and you enter a custom message for each clear condition. See the Create and Edit Conditions section below. This message supports the same set of variables that a Trigger Message would support. Custom message variables are not available for Flow thresholds.

  2. For Technology Type Flow thresholds, in the Duration field, enter the length of time for the condition to not exist before the clear condition clears the threshold. The value you enter here is multiplied by the length of time you enter as the Write Interval on the Cluster Manager > Cluster Settings tab.

  3. Click images/download/attachments/64686594/actionold.png in the Conditions section to manage the clear conditions.

    • Select Create New to add a new condition to the threshold. See the Create and Edit Conditions section below.

    • Select the check box for each condition to delete, then select Delete Selected to delete the conditions you select.

    • Select the check box for each condition to add to a rule, then select Add to Rule <n> to add the conditions to a specific rule.

  4. Click images/download/attachments/64686594/editpencil.png in the Edit column to display the Edit Conditions pop-up. See the Create and Edit Conditions section below.

  5. Click images/download/attachments/64686594/actionold.png in the Rules section to manage the clear condition rules.

    • Select Create New to add a new rule to the condition. See the Boolean Operators section below.

    • Select the check box for each rule to delete, then select Delete Selected to delete the rules you select.

  6. Click images/download/attachments/64686594/delete.png in the Conditions column to remove a condition from a rule.

Create and Edit Conditions

The Edit Condition pop-up enables you to define the condition to either trigger the threshold or to clear the threshold. Conditions determine when to trigger an alert and when to clear an alert.

FYI

A right Riemann sum of the Gauge form of the data is used when you select option Total from the Aggregation drop-down.

Technology Type - Flow Conditions

For Technology Type Flow thresholds, perform the following steps to create a trigger condition or a clear condition.

  1. Click the Fields drop-down and select a field

  2. Click the Aggregation drop-down and select a data aggregation option.

  3. Click the Comparison drop-down and select a comparison operator.

  4. In the Value field, enter the value to trigger/clear the condition. Click the corresponding drop-down and select the unit of measure.

  5. In the Custom Message field, enter a custom message that is specific to the condition. The custom message appends to the trigger message or to the clear message when you select the Append Condition Message check box on the General tab. Custom message variables are not available for Flow thresholds.

  6. Click Save to save the condition.

Technology Type - Metric Conditions

For Technology Type Metric thresholds, there are four types of conditions.

  • Static conditions compare the current value of an indicator with the value you define.

  • Baseline conditions compare the current value of an indicator with the indicator's baseline value. There are three types of baseline conditions.

  • Slope conditions calculate the most recent six data points (minimum of four valid points) and compares that value to the threshold you define for the condition. Slope conditions looks for variation of a value from the values that came before to measure the relative consistency. This detects a significant change in behavior over a short time.

  • Time since newest data point condition to alert on the number of seconds since the most recent data point for a given object.

Static Conditions - Technology Type, Metric

Static conditions compare the current value of an indicator with the value you define.

Examples:

  • Inbound traffic is greater than 50Mb/s

  • Idle CPU time is less than 10%

Perform the following steps to define a Static condition.

  1. Click the Indicator drop-down and select the indicator on which to base the condition.

  2. Click the Type drop-down and select Static to compare the actual current indicator value to the policy indicator value you define.

  3. Click the Comparison drop-down and select a comparison operator. Most comparison operators are self explanatory.
    Select Bad Polls to trigger or clear an alert when a poll attempt either receives nothing or receives invalid data. This creates a time stamp entry and an entry in the data column that represents an unsuccessful poll. This drives the SNMP Availability metric of how many unsuccessful poll attempts were made in a given cycle versus how many poll attempts were successful.

  4. In the Threshold field, enter the value at which to trigger/clear the condition then click the Threshold drop-down and select the value unit of measure.

  5. The Duration field has two scenarios, a smoothing time duration or a detection time duration.

    • If you select Greater Than, Less Than, Equal To, Greater Than Equal To, Less Than Equal To, or Not Equal To in the Comparison field, enter the number of minutes for which the condition is to be met before the condition triggers/clears.

    • If you select Bad Polls, Changed, Changed From, or Changed To in the Comparison field, enter the number of minutes in which the condition must occur at least once before the condition triggers/clears. The Duration for these Comparisons must be equal to or greater than the poll frequency of the device or an alert does not trigger.

      As of SevOne NMS 5.7.2.22, when creating a new condition, Duration greater than 120 minutes (2 hours) is no longer allowed. However, for existing Thresholds, if the Duration is set to greater than 120 minutes (2 hours), it will maintain the duration and not be changed.

  6. Click the Aggregation drop-down and select a data aggregation method. When Count Over Threshold option is chosen from the drop-down, Count field becomes available. Specify the count number in the Count field. When Time Over Threshold option is chosen from the drop-down, Time field becomes available. Specify the time in minutes in the Time field.

    The configured time in Time Over Threshold should not be longer than the value set in field Duration.

  7. In the Custom Message field, enter a custom message that is specific to the condition. The custom message appends to the trigger message or to the clear message when you select the Append Condition Message check box on the General tab. You can enter variables to display such things as device name, IP address etc. See the Custom Message Variables list below.

  8. Click Save to save the condition.

Note: If you define a static alert condition with the Indicator set to Operational and the Comparison set to Changed From or Changed To, and the interface is changed from Operationally Up to Operationally Down (or vice versa) no alert is triggered.

Baseline Conditions - Technology Type, Metric

Baseline conditions compare the current value of an indicator with the indicator's baseline value. There are three types of baseline conditions.

  • Baseline Delta - Examples:

    • Inbound traffic is greater than 10Mb/s, relative to the baseline

    • Idle CPU time is less than 5% of the total, relative to the baseline

  • Baseline Percentage - Examples:

    • Inbound traffic is greater than 150% of the baseline

    • Idle CPU time is less than 60% of the baseline

  • Baseline Standard Deviation - Examples:

    • Inbound traffic is above/below three standard deviations of the baseline

    • Idle CPU time is below two standard deviations of the baseline

      Details:

      • If the baseline value is 100 and the standard deviation is 50, this does not model the expected actual value, since this appears to shift above and below the baseline value by a significant amount.

      • If the baseline value is 100 and the standard deviation is 10, this is a better representation of the normal value.

Note: Baseline Delta that uses Percentage vs. Baseline Percentage:

  • Baseline Delta uses a percentage comparison unit to the baseline +/- a percentage of the maximum indicator value. Baseline Delta is most useful when the scale of the baseline and the scale of the indicator are very different. Example: A critical interface that has typically low utilization but has irregular spikes that are no more than 10% of the total link capacity. If you do not knowing the value of the baseline itself, it is difficult to use the Baseline Percentage condition type.

  • Baseline Percentages compare the value to a percentage of the baseline.

Perform the following steps to define a Baseline condition

  1. Click the Indicator drop-down and select the indicator on which to base the condition.

  2. Click the Type drop-down.

    • Select Baseline Delta to compare the actual current indicator value to the indicator's baseline value.

      1. In the Threshold field, enter the value at which to trigger/clear the condition then click the Threshold drop-down and select the value unit of measure. Percentage refers to a percentage of the maximum value of the indicator and is not to be interpreted as a percentage of the baseline value.

      2. Click the Comparison drop-down and select a comparison operator.

    • Select Baseline Percentage to compare the ratio of the current indicator value to the indicator's baseline value.

      1. Click the Comparison drop-down and select a comparison operator.

      2. In the Threshold field, enter the percentage value at which to trigger/clear the condition.

    • Select Baseline Standard Deviation to compare the current indicator value to the indicator's expected regional value using standard deviations which is a measure that approximates the uncertainty of the value. Most data can be expected to be within six standard deviations of the baseline. A typical condition will test whether the data is above and/or below two or three standard deviations from the baseline value.

      1. Click the Standard Deviations drop-down and select the number of deviations. A smaller standard deviation means a tighter bracket on what is normal. The size of the standard deviation should represent the behavior of the data.

      2. Click the Direction drop-down and select Above, Below, or Above or Below the baseline. The most common use case is for Above or Below to have the condition test for deviations in both directions.

  3. The Duration field has two scenarios, a smoothing time duration or a detection time duration.

    • If you select Greater Than, Less Than, Equal To, Greater Than Equal To, Less Than Equal To, or Not Equal To in the Comparison field, enter the number of minutes for which the condition is to be met before the condition triggers/clears.

    • If you select Bad Polls, Changed, Changed From, or Changed To in the Comparison field, enter the number of minutes in which the condition must occur at least once before the condition triggers/clears. The Duration for these Comparisons must be equal to or greater than the poll frequency of the device or an alert does not trigger.

      As of SevOne NMS 5.7.2.22, when creating a new condition, Duration greater than 120 minutes (2 hours) is no longer allowed. However, for existing Thresholds, if the Duration is set to greater than 120 minutes (2 hours), it will maintain the duration and not be changed.

  4. Click the Aggregation drop-down and select a data aggregation method.

  5. In the Custom Message field, enter a custom message that is specific to the condition. The custom message appends to the trigger message or to the clear message when you select the Append Condition Message check box on the General tab. You can enter variables to display such things as device name, IP address etc. See the Custom Message Variables list below.

  6. Click Save to save the condition.

Slope Conditions - Technology Type, Metric

Slope conditions use a data window of six data points (minimum of four valid points) to perform the deviation from average (DFA) calculation or the relative standard deviation (RSD) calculation. The result of the calculation is compared to the threshold you define in the condition to trigger or clear the policy. Slope conditions looks for variation of a value from the values that came before to measure the relative consistency. This detects a significant change in behavior over a short time. A data window consists of at least four successful poll points and at most six successful poll point. As each new data point is received, the oldest data point is dropped and the new data point is validated. Whenever there are between four and six valid data points, the calculation is performed for the condition.

There are two types of slope conditions

  • Slope Variance DFA - Algorithm = std::abs( (P-avg)/avg )

    • P = The value of the point.

    • avg = The average of the points within data window.

    • The return value is an absolute value that represents both increasing slope and decreasing slope at the same time.

  • Slope Variance RSD - Algorithm = (100*stdDev)/avg

    • stdDev = The standard deviation from data window.

    • avg = The average of the data window.

Perform the following steps to define a Slope condition.

  1. Click the Indicator drop-down and select the indicator on which to base the condition.

  2. Click the Type drop-down.

    • Select Slope Variance DFA to compare the current indicator value to the indicator’s deviation from average value you define. This function calculates the degree to which the current value is different from the expected value and so the default threshold values are provided. This technique is also most effective when combined with other conditions.

    • Select Slope Variance RSD to compare the current indicator value to the indicator’s relative standard deviation value you define.

  3. Click the Comparison drop-down and select a comparison operator.

  4. In the Threshold field, enter the numeric value at which to trigger/clear the condition.

  5. Duration is irrelevant for the Slope Variance DFA condition type and for the Slope Variance RSD condition type.

  6. In the Custom Message field, enter a custom message that is specific to the condition. The custom message appends to the trigger message or to the clear message when you select the Append Condition Message check box on the General tab. You can enter variables to display such things as device name, IP address etc. See the Custom Message Variables list below.

  7. Click Save to save the condition.

Time since newest data point Condition - Technology Type, Metric

Time since newest data point condition allows the system to detect when the number of seconds since the newest data point exceeds the configured threshold. It also detects when data (from Universal Collector or any other source) is not being collected for the configured object or if there is a problem in the pipeline which results in the system to be unable to collect the data from it.

Perform the following steps to define the condition.

  1. Click the Indicator drop-down and select the indicator on which to base the condition.

  2. Click the Type drop-down and choose Time since newest data point.

  3. In the Threshold field, enter the number of seconds since the most recent data point on a given object.

  4. In the Custom Message field, enter a custom message that is specific to the condition. The custom message appends to the trigger message or to the clear message when you select the Append Condition Message check box on the General tab. You can enter variables to display such things as device name, IP address etc. See the Custom Message Variables list below.

  5. Click Save to save the condition.

Custom Message Variables

You can use the following variables when you enter a custom message for a trigger condition or a clear condition.

Custom message variables are not available for Flow thresholds.

  • $deviceIp displays the IP address of the device associated with this condition.

  • $deviceId displays the ID of the device associated with this condition.

  • $deviceName displays the name of the device associated with this condition.

  • $deviceAltName displays the alternate name of the triggered device.

  • $pluginName displays the short name for the plugin. For example, SNMP.

  • $pluginDescription displays the description of the plugin. For example, SNMP Poller.

  • $objectId displays the ID of the object associated with this condition.

  • $objectName displays the object name associated with this condition.

  • $objectAltName displays the alternate name of the triggered object.

  • $objectDescription displays the description of the object associated with this condition.

  • $indicatorName displays the indicator name associated with this condition.

  • $indicatorDescription displays the indicator description associated with this condition.

  • $comparisonOperation displays the comparison operation being performed in this condition.

  • $comparisonUnits displays the units of measurement being used in this condition.

  • $comparisonValue displays the value being used for comparison in this condition.

  • $dataValue displays the value observed or measured in this condition.

  • $dataUnits displays the unit of measurement that is recorded for the indicator in this condition.

  • $aggregationOperation displays the aggregation being used in this condition.

  • $aggregationDuration displays the duration of the aggregation being used in this condition.

  • $baselineValue displays the baseline value for this hour.

  • $sigmaValue displays the standard deviation value for this hour.

  • $sigmaDirection displays the standard deviation direction used in this condition.

  • $thresholdId displays the id of the threshold.

  • $thresholdName displays the name of the threshold.

  • $thresholdValue displays the reference value over which the condition triggers.

  • $alertState displays the severity of the policy. For example, Emergency or Debug.

  • $alertType displays the technology type of the policy.

Boolean Operators

Boolean AND Operator
The Action icons enable you to create new conditions, create new rules, and to manage the conditions to rules assignments.

To combine several conditions as a Boolean AND operator, add all of the applicable conditions to a single rule so that the Trigger/Clear Condition tab displays the conditions as Rule 1 | Conditions A AND B AND C etc.

images/download/attachments/64686594/conditionand.png
Boolean - AND Operator

Boolean OR Operator

To combine several conditions as a Boolean OR operator, create two or more rules and add applicable conditions to the applicable rules so that the Trigger/Clear Condition tab displays the conditions for the first rule OR the conditions for the second rule, OR conditions for the third rule, etc.

images/download/attachments/64686594/conditionor.png
Boolean - OR Operator

Created with Scroll Wiki HTML Exporter for Confluence.