You can configure threshold alert settings that monitor when a specific metric crosses a defined boundary. When the conditions configured in the alert settings are met, the ExtraHop system generates a threshold alert, which you can view in the alert history.
Threshold alerts are useful for monitoring occurrences such as SLA-violations or error rates that surpass a comfortable percentage. For example, you can configure threshold alert settings that generate alerts when an HTTP 500 status code is observed more than 100 times during a ten minute period.
Before configuring alert settings, determine which metric you want to monitor and the conditions the metric must meet for the ExtraHop system to generate a threshold alert.
- Log into the Web UI on the ExtraHop Discover or Command appliance.
- Click the System Settings icon and then click Alerts.
- Click New, and then click the Configuration tab.
- Enter a unique name for the alert configuration in the Name field.
- Click Threshold.
From the Detail section, specify the type of metric the
alert configuration will monitor.
- Specifies the top-level metric, such as an HTTP response or DNS request, that the alert will monitor.
- Specifies the detail metric, such as the URI of an HTTP response, that the alert will monitor.
Select the metric you want to monitor.
- Click the Select metric icon.
- Click the source of the metric, such as an application.
Click the protocol of the metric, such as HTTP, NetFlow, or
Depending on the source and metric type, some protocols contain secondary groups for client and server metrics.
Locate and click the metric you want to monitor.
Depending on the metric you select, additional fields appear that enable you to enter information to refine the metric:
- The Key pattern field enables you to further refine the metric, such as to specify the definition of a custom metric. The key pattern is interpreted as a regular expression and must adhere to Perl-Compatible Regular Expression (PCRE) syntax.
- The Data point field displayed for top-level metrics enables you to specify a percentile value for the metric.
- The Data point field displayed for detail metrics enables you to specify a mean value plus a standard number of deviations for a metric.
To monitor the value of the selected metric divided by a secondary metric,
click the Ratio checkbox and select a secondary metric
from the field provided.
For example, divide the number of DNS response errors by the total number of DNS responses to monitor the percentage of errors that exceed a specified threshold.
Select one of the following firing modes:
- An edge-triggered alert is generated only once when the alert conditions are true. The alert is generated again only if conditions are true after the metric value has returned to normal conditions twice.
- A level-trigged alert is generated continuously while the alert conditions are true for the specified time period.
In the Alert When section, specify the following options
that define the alert expression:
- Specifies the length of the time interval.
- Specifies how to compare the interval to the value.
Note: The ExtraHop system does not record values of zero for metrics. Instead the ExtraHop system observes a lack of values. If you specify a value of zero in your alert configuration, the alert will never be generated. To create an alert configuration with a zero value, select the less than (<) operator and type a value of 1.
- Specifies the number of metric occurrences to watch for.
- Specifies rate in which the metric occurrences happen.
For example, to issue an alert when the value of the observed metric crosses the threshold more than 10 times per minute in a 30 minute interval, set the following values as the Alert When options:
- Time interval: 30 minutes
- Operator: >
- Value: 10
- Rate: minute
The Alert When options work with the Firing Mode options to determine how many times an alert should be generated.
- Click OK.