General Alert Questions

alerts

#1

1.) If I assign an Alert to a Custom Group does it look at each device in that group individually and alert on them or does it look at the consolidated metrics and report on the group as a whole?

2.) Regarding the “Trend Settings” tab, when using Same Hour, or Hour rolling Average, when does the Alert fire, at the end of that hour? If so I assume that would be a bad choice when you’re trying to catch an outage?

3.) Regarding the “Trend Settings” tab, minute Rolling fires based off the configuration under Alert Settings?

4.) 2nd to last question is there a way to alert us when the metrics exceed the mean but not let those random one off spikes cause the mean to go up, and potentially miss the next spike. For example we
have an issue with Rcv Wnd Throttles Out over the last 2 weeks is showing an average of 2,063 a day. The issue is we had 2 days with big spikes; 5,356 and 13,254. If you exclude those the daily average is only 202 Rcv Wnd Throttles Out a day. Is there way to exclude the extreme spikes but still report on them when they happen?

5.) When you configure the “Trend Settings” tab what does that apply too on the “Alerts Settings” tab? Obviously it probably has something to do with “Percentage of trend” but does it define the mean, median, or standard deviation on the 1st drop down?


#2
  1. If you assign an Alert to a Device Group. It will assign an individual Device Alert to each Device in the group. If you want to aggregate all the metrics across all the members of the group, you can create an application or use a custom device to create a single object for your alert.

https://docs.extrahop.com/4.0/eh-trigger-api-quick-start-guide/eh-trigger-api-quick-start-guide.pdf

  1. This setting is only to set how many events you want to use to create your trend. If you do same hour of the day, the trend alert will compare 00:00-01:00 on Monday to 00:00-01:00 on Tuesday, to 00:00-01:00 on Wednesday, etc. however this does not change the interval checked for the alert to fire, just the type of data to compare. This is a good setting to use to keep track of daily scheduled tasks like batch jobs. Same Day of the Week is good for traffic patterns that are expected on specific days. (Saturday Backups)

Minute Rolling / Hour Rolling Averages only check the last Lookback events. So by default, a Minute rolling average with a lookback of 45 minutes is only going to keep a trend of 45 minutes for comparison. And the Hour Rolling Average will check 45 Hours for the trend. This is better for detecting sudden spike events.

  1. The Alert Settings are used to define the actual event. It will take the trend data defined in the trend settings and check to see if the Alert When criteria is met.

  2. You want to do is weight the most recent data In the Trend Settings there is a Weighting Model section where you can change the most recent events to count more or less towards your overall average trend. It sounds like you want to weight the most recent events less than the older events. This should preserve your low mean for longer if spike events keep occurring.

Below is a link to additional posts about Alerts that will help:


https://www.extrahop.com/community/blog/2015/using-math-adds-up-to-better-alerts/

  1. The Trend settings tab is used to define your set of data for the comparison in the alert settings. The Trend Settings defines the ‘bucket’ and how much new events affect the ‘bucket’ While the Alert Settings define what conditions the current status of the bucket must reach to fire an Alert.

Alerts Rookie Questions