Dynamic baselines help distinguish between normal and abnormal activity in your chart data. Baselines are only supported in the area, candlestick, column, line, and line & column charts.
Discover appliances calculate dynamic baselines based on historical data. To generate a new data point on a dynamic baseline, an appliance calculates the median value for a specified period of time.
|Warning:||Deleting or modifying a dynamic baseline can delete baseline data from the system. If a dynamic baseline is not referenced by any dashboards, the data will be deleted from the system to free unused system resources. You cannot recover a dynamic baseline after it is deleted.|
Select a baseline type that best fits your environment. For example, if you regularly see dramatic changes from one day to another, select an hour-of-week baseline that compares activity seen on specific days of the week. If HTTP activity spikes on Saturdays, the hour-of-week baseline can help you compare the current spike in HTTP activity with the level seen on other Saturdays at the same hour. The following table describes how each type of baseline is calculated:
|Baseline type||Historical data||What the baseline compares||New baseline data points added|
|Hour of day||10 days||Metric values from a given hour of a day. For example, every day at 2:00 PM.||Every hour|
|Hour of week||5 weeks||Metric values for a given hour on a specific day of the week. For example, every Wednesday at 2:00 PM.||Every hour|
|Short-term trend||1 hour||Metric values from each minute in one hour.||Every 30 seconds|
The following figure shows how a dynamic baseline is calculated and displayed in a line chart.
- Dynamic baselines require a Discover appliance to calculate and store baseline data. Therefore, creating a baseline consumes system resources, and configuring too many baselines might degrade system performance.
- Deleting or modifying a dynamic baseline can delete dynamic baseline data from the Discover appliance.
- The Discover appliance can begin building a dynamic baseline only if the necessary amount of historical data is available. For example, an Hour of day baseline requires 10 days of historical data. If the Discover appliance has only been collecting data for six days, the appliance will not begin plotting the baseline until it has four more days worth of data.
- The Discover appliance does not retroactively plot a dynamic baseline for historical data. The Discover appliance only plots a dynamic baseline for new data.
- If two identical dynamic baselines exist in separate dashboards, the dashboards reuse the baseline data; however, the baselines must be identical. If you select a new baseline type, the new dynamic baseline will not share data with the previous dynamic baseline.
The following steps show you how to add a dynamic baseline to an existing dashboard chart:
- Log into the Web UI on the Discover or Command appliance and then click Dashboards at the top of the page.
Launch the Metric Explorer to edit the chart by
completing the following steps:
- Select a dashboard containing the chart that you want to edit.
- Click the chart title and then select Edit.
- Click the Analysis tab.
Baselines section, select one of the following dynamic
baseline type options:
Option Description Hour of day Displays the median value for a given hour of the day. This option is most useful if activity in your environment usually follows a consistent daily pattern. If you regularly see dramatically different levels of activity on different days of the week, this option is less useful because the baseline usually does not match the current values. Hour of week Displays the median value for a given hour on a specific day of the week. This option is most useful if you regularly see significantly different levels of traffic during each day of the week. Short-term trend Displays the median value for the last hour. This option is useful for smoothing chart data to reveal short-term trends.
Click Save to close the Metric Explorer and return to
The ExtraHop system will begin calculating the dynamic baseline. New baseline data points are added every hour or 30 seconds.