Alert Debug
The Debug section of the alerting system is covered in the following topics:
About Alert Debug
The purpose of the Alert Debug page is to provide context that can be used to better understand why a threshold (see About Alert Thresholds) in a given alert policy triggered an alarm. The main feature of the page is a table (the Debug list) that presents information about a given policy from two main perspectives:
- Current: The table shows information related to the top-X keys (see About Keys) for the policy in current traffic, where:
- Current traffic is the set of flow records (and associated traffic data) included in the most recently completed aggregate. The duration of each aggregate is determined by the policy’s Evaluation Frequency setting (see the Building Your Dataset pane of the Dataset tab of the Add Alert Policy or Edit Alert Policy dialog on the Policies page).
- X is defined by the Maximum Number of Keys setting in the same pane (the actual number of keys may be less depending on the Minimum Traffic Threshold setting). - Baseline: The table shows information related to the top-X keys in the baseline data of the same policy (see About Historical Baselines).
Alert Debug Page UI
The Alert Debug page is made up of the following UI elements:
- Select Policy: A drop-down menu used to choose the policy whose triggered keys will be displayed in the Debug List.
- View control: Choose which of the following is displayed in the Debug List (see About Alert Debug):
- Current: Information about the top-X keys in the alert policy’s current traffic.
- Baseline: Information about the top-X keys in the alert policy’s baseline traffic. - Reload: A button at upper right that refreshes the data in the Debug list.
- Debug list: A table that displays information related to top-X keys (current and baseline) in the selected policy. See Debug List.
Debug List
The Debug list is a table that displays information related to top-X keys (current and baseline) in the selected policy. As described in the following topics, the columns of the table vary depending on the View control:
Debug Current Columns
The Current view of the Debug list includes the following columns for each row:
- Key: The policy’s key as defined in the policy’s Dimensions setting (Data Funneling pane of the Dataset tab of the Add Alert Policy or Edit Alert Policy dialog).
- Position: The ordinal position of the key in the top-X current keys for this policy.
- Value: The value of the policy’s Primary Metric as specified in the Data Funneling pane, which determines the position of the key in the top-X.
- Value_2nd: The value of the policy’s first Secondary Metric as specified in the Data Funneling pane.
- Value_3rd: The value of the policy’s second Secondary Metric as specified in the Data Funneling pane.
- Count: The total number of flows with this key in the current traffic data aggregate (see Current in About Alert Debug).
- First seen: The timestamp of the start time of the current traffic data aggregate.
Note: The timestamp may be in UTC or local depending on Time Zone in User Default Settings. - Debug Graph (graph icon): Opens the Debug Graph Dialog.
Debug Baseline Columns
The Baseline view of the Debug list includes the following columns for each row:
- Key: The policy’s key as defined in the policy’s Dimensions setting (Data Funneling pane of the Dataset tab of the Add Alert Policy or Edit Alert Policy dialog).
- Position: The ordinal position of the key in the top-X baseline keys for this policy.
- Value: A percentile value for the policy’s Primary Metric as specified in the Data Funneling pane, which determines the position of the key in the top-X. The percentile that is used (98th, 95th, 25th, etc.) is set in the Building Your Baseline pane of the Historical Baseline tab of the Add Alert Policy or Edit Alert Policy dialog.
- Value Min: The lowest one-hour rollup aggregation value occurring for the primary metric over the “baseline window” set in the Building Your Baseline pane.
- Value p50th: The 50th percentile value of the policy’s Primary Metric over the “baseline window.”
- Value Max: The highest one-hour rollup aggregation value occurring for the primary metric over the “baseline window.”
- Count: The total number of flows with this key in the baseline data.
- Debug Mode: Not currently used.
- Chosen Time: The timestamp of the first flow record in the baseline data that matches the key.
- Debug Graph (graph icon): Opens the Debug Graph Dialog.
Debug Graph Dialog
The Debug Graph dialog includes a set of graphs that represent a given key. The graphs show current and baseline values for the metrics shown in the current and baseline views of the Debug list. Graphs showing both traffic volume and ordinal position in the policy’s top-X are provided for a variety of durations (14 hours, 56 hours, 15 days, 30 days).
Further information coming soon.