You can configure threshold alert settings that monitor when a specific metric crosses a defined boundary. When the conditions configured in the alert settings are met, the ExtraHop system generates a threshold alert, which you can view in the Alert History.
Threshold alerts are useful for monitoring occurrences such as SLA-violations or error rates that surpass a comfortable percentage. For example, you can configure threshold alert settings that generate alerts when an HTTP 500 status code is observed more than 100 times during a ten minute period.
Before configuring alert settings, determine which metric you want to monitor and the conditions the metric must meet for the ExtraHop system to generate a threshold alert.
- Log into the Web UI on the ExtraHop Discover or Command appliance.
- Click the System Settings icon and then click Alerts.
- Click New to open the Alert Configuration window.
- Enter a unique name for the alert configuration in the Name field.
- Click Threshold.
From the Detail section, specify the type of metric you
want to monitor.
- Specifies the top-level metric, such as an HTTP response or DNS request.
- Specifies the detail metric, such as the URI of an HTTP response.
Select the metric you want to monitor.
- Click the Select metric icon .
- Click the source of the metric, such as an application.
Click the protocol of the metric, such as HTTP, NetFlow, or
Depending on the source and metric type, some protocols contain secondary groups for client and server metrics.
Locate and click the metric you want to monitor.
Additional fields appear depending on the metric you select:
- The Key pattern field enables you to further refine the metric, such as to specify the definition of a custom metric. The key pattern is interpreted as a regular expression and must adhere to Perl-Compatible Regular Expression (PCRE) syntax.
- The Data point field displayed for top-level metrics enables you to specify a percentile value for the metric.
- The Data point field displayed for detail metrics enables you to specify a mean value plus a standard number of deviations for a metric.
To monitor the value of the selected metric divided by a secondary metric,
click the Ratio checkbox and select a secondary metric
from the field provided.
For example, divide the number of DNS response errors by the total number of DNS responses to monitor the percentage of errors that exceed a specified threshold.
Select one of the following firing modes:
- An edge-triggered alert is generated only once when the alert conditions are true. The alert is generated again only if conditions are true after the metric value has returned to normal conditions twice.
- A level-triggered alert is generated continuously while the alert conditions are true for the specified time period.
In the Alert When section, specify the following options
that define the alert expression:
- Specifies the length of the time interval.
- Specifies how to compare the interval to the value.
Note: The ExtraHop system does not record values of zero for metrics. Instead, the ExtraHop system observes a lack of values. If you specify a value of zero in your alert configuration, the alert never generates. To create an alert configuration with a zero value, select the < (less than) operator and type a value of 1.
- Specifies the number of metric occurrences to watch for.
- Specifies the rate in which metric occurrences happen.
For example, to issue an alert when the value of the observed metric crosses the threshold more than 10 times per minute in a 30 minute interval, set the following values in the Alert When options:
Time interval: 30 minutes
The Alert When options work with the Firing Mode options to determine how many times an alert should be generated.
- Click OK.