Tip of the Week: AI Triggers and the Application commit() method

triggers

#1

In this weeks installment of TotW, I want to talk about the commit() method for applications. I’ve seen some confusion over when it is the appropriate time to use the method, so below are some guidelines on how and when to use commit(). So let’s get to it!

  • The commit() method is for explicitly adding the built-in metrics that ExtraHop generates for a AI Trigger event. If you are only adding custom metrics, and don’t care about the built-in metrics, you don’t need the commit(), your application will still show up on the Applications page.
  • The commit() method is only valid on specific events, as listed in the Trigger API Documentation in the Application section. The events are listed below. The reason for this: certain metrics are unavailable until specific events in a flow, things like HTTP status codes, errors, etc, so the ExtraHop system has to wait for specific events. Note: TCP_OPEN and FLOW_CLASSIFY events are excluded from this event because they use the setApplication() method instead of commit(), we’ll discussed this in a future post.
  Application Component
Event
AAA AAA_REQUEST and AAA_RESPONSE
DB DB_RESPONSE
DNS DNS_REQUEST and DNS_RESPONSE
HTTP HTTP_RESPONSE
IBMMQ IBMMQ_REQUEST and IBMMQ_RESPONSE
ICA ICA_TICK and ICA_CLOSE
LDAP LDAP_REQUEST and LDAP_RESPONSE
Memcache MEMCACHE_REQUEST and MEMCACHE_RESPONSE
NAS CIFS_RESPONSE or NFS_RESPONSE
SSL SSL_RECORD and SSL_CLOSE
FIX FIX_REQUEST and FIX_RESPONSE
FTP FTP_RESPONSE
SMTP SMTP_REQUEST and SMTP_RESPONSE
  • Don’t use more than one commit() for the same event and application. Think of applications as a bucket of metrics. Each commit() call adds the automatically generated metrics to that application bucket. If you call commit() on the same event more than once, you’ll double count (or more) metrics.

To illustrate some of these points, I put together the small trigger. Feel free to try this out on your own systems.

// Event: HTTP_RESPONSE

// Commits built in metrics
Application('test1').commit();

// Commits built in metrics twice
Application('test2').commit();
Application('test2').commit();

// Commits built in metrics three times
Application('test3').commit();
Application('test3').commit();
Application('test3').commit();

Application('test4_custom_metrics').metricAddCount('test_count_metric',1);

This trigger generates four applications: test1, test2, test3, and test4_custom_metrics.

You can see that the commit() method isn’t necessary to create an application, just by the fact that test4_custom_metric application shows up on our list.

###test1 application

From what we discussed above, the test1 application has the same HTTP metrics you’ll typically see on the built in pages.

###test2 application

###test3 application

When we look at the test2 and test3 applications, we can see that the HTTP metrics are double and triple the metrics from the test1 application. This is because of our repeated commit() method calls against the same application.

###test4_custom_metrics application

Notice that the built-in “Web” page isn’t in the left navigation. We never used the commit() method on this application, so we haven’t captured any of the built-in HTTP metrics.

But if we use the Metric Explorer, we can see we have been committing the test metric which we can use to build custom pages or dashboards.

##Practical Usage
Creating applications for your workflows and application tiers doesn’t require in depth trigger work. Use the Simple Application Template Bundle as a template for new applications.

  1. Upload and Apply the bundle (Settings > Bundles > Upload > [Choose File] Upload > Apply)
  2. Go to the Simple Application Template trigger (Settings > Triggers)
  • On the Configuration tab, remove protocols that the ExtraHop system is not licensed for and rename the trigger to identify the application it will be creating.

  • On the Editor tab, enter the desired application name. Notice the FLOW_CLASSIFY logic, which will be addressed in a future post.

    // Set the name of the application
    var app_name = '';
    

    // The following logic block commits built-in metrics for every event type
    if (event === ‘FLOW_CLASSIFY’) {
    Flow.setApplication(app_name);
    }
    else {
    Application(app_name).commit();
    }

  1. Create a Device Group or select an existing Device Group (Groups > User Groups). The device group should represent a logical segment of your application, often a specific tier or workflow. Be as specific as possible in the definition of the device group and, where possible, use dynamic groups to avoid bit rot as the environment changes.
  2. Assign the trigger to the device group ([Device Group Name] > Triggers tab > green plus sign). Give the application 5 minutes to begin gathering metrics and it will show in the Applications list.

Understanding the power of Applications has helped tremendously as I learned the ins and outs of the ExtraHop platform, and I hope it helps you as well. As always, leave questions and comments below.

~Chris


Trigger Optimization 101: Return Quickly | ExtraHop
Trigger Optimization 101: Return Quickly | ExtraHop