Monitor trigger performance

After you have built a trigger, check to ensure that it is running as expected, without errors or unnecessary consumption of resources. If your trigger script includes a debug statement, check the runtime log for debug output. You can also check the runtime log for errors and exceptions. You can view performance information for an individual trigger and you can view several system health charts that indicate the collective impact of all of your triggers on the system.

To learn about the steps you must complete to create a trigger, see Build a trigger.

Check trigger output in the runtime log

After you create or edit a trigger, you can view the Runtime Log tab to check that the trigger is running as expected, without issues. The runtime log displays debug output, errors, and exceptions. This tab only appears after the trigger is saved.

If a trigger includes a debug statement, the output from that statement is displayed in the trigger runtime log. Ensure that the logged output is expected. If you are not seeing results, check that debugging is enabled on the Configuration tab.

Note that debug output starts logging as soon as the trigger is assigned and saved; however, the log cannot display data that occurred prior to when the trigger was assigned and saved.

The following steps show you how to access the runtime log:

  1. Log into the Web UI on the ExtraHop Discover or Command appliance.
  2. Click the System Settings icon , and then click Triggers.
  3. Double-click the trigger you want to view.
  4. Click the Runtime Log tab.
In the following example, the trigger monitors HTTP connections on selected devices and returns URIs that contain “seattle”.
if (HTTP.uri.match("seattle")){
    Application("Seattle App").commit();
    debug(HTTP.uri);
}

When a match occurs, the URI that contains the match is written to the runtime log as shown in the following figure:

The runtime log also displays any runtime errors or exceptions that occur, whether or not debugging is enabled on the Configuration tab. You should fix exceptions when they occur to minimize the performance impact on your system.

View the performance of an individual trigger

After you create or edit a trigger, you can view the Performance tab to view a graphical representation of the performance impact the trigger has on your environment. This tab only appears after the trigger is saved.

  1. Log into the Web UI on the ExtraHop Discover or Command appliance.
  2. Click the System Settings icon , and then click Triggers.
  3. Double-click the trigger you want to view.
  4. Click the Performance tab.

The tab displays a trigger performance graph that tracks the number of cycles the trigger has consumed within a given time interval. You can hover over a data point to display key performance metrics at a single point in time.

The hover tip includes the following information:

  • The most and least cycles the trigger consumed to process a single event.
  • The number of times the trigger ran and the percentage of times the trigger ran compared to all triggers that ran in the same time range.
  • The total number of cycles consumed by the trigger and the percentage of cycles consumed compared to all triggers that ran in the same time range.

Next steps

If the trigger impact is high, re-evaluate the purpose of the trigger and consider the following options:
  • Ensure the trigger performs only necessary tasks and runs only on required devices or networks.
  • Check for exceptions in the runtime log and visit the System Health page, which provides additional trigger performance metrics such as the number of running triggers, trigger load, and trigger exceptions.
  • Assess the efficiency of the trigger script and look for trigger optimization tips in the Triggers Best Practices Guide.

View the performance of all triggers on the system

After you have built a trigger, view several System Health charts that indicate the collective impact of all of your triggers on the system. You can monitor these charts for problems that affect system performance or result in incorrect data.

The System Health page contains several charts that provide an at-a-glance view of the triggers running on the ExtraHop system.

  1. Click the System Settings icon , and then click System Health.
  2. View the following charts:
    Option Description
    Trigger Executes by Trigger Displays all triggers running on the system. If the trigger you just created or modified is not listed, there might be an issue with the trigger script.
    Trigger Executes Displays bursts of trigger activity that might indicate inefficient behavior from one or more triggers. If any bursts of activity are displayed, view the Trigger Executes by Trigger chart to locate any trigger that is consuming higher resources than average, which can indicate that the trigger has a poorly-optimized script that is affecting performance.
    Trigger Exceptions by Trigger Displays any exceptions caused by triggers. Exceptions are a large contributor to system performance issues and should be corrected immediately.
    Trigger Drops Displays the number of triggers that have been dropped from the trigger queue. A common cause of dropped triggers is a long-running trigger that is dominating resource consumption. A healthy system should have 0 drops at all times.
    Trigger Load Tracks the usage of all available resources by triggers. A high load is approximately 50%. Look for spikes in consumption that can indicate that a new trigger has been introduced or that an existing trigger is having issues.

    You can monitor whether your datastore triggers, also referred to as bridge triggers, are running properly with the following charts:

    • Datastore trigger executes
    • Datastore trigger exceptions by trigger
    • Datastore trigger drops
Published 2017-10-17 22:07