DX Unified Infrastructure Management

  • Private Community

  • 1.  netflow trap alerts.

    Posted Jun 04, 2013 12:11 AM
    I am setting up trap alerts when TOS 0 traffic goes above 99%.
    We ran Analysis reports and decided to use the 99% value because anything lower and we would get way too many alerts every day.

    I set up the Trap Alerts for protocol=ip, ToS = Default Traffic, Threshold Type=Utilization 99%
    it has been running for a few days with no traps sent.
    I ran an analysis today and we had 9 violations of the threshold, still no traps.

    Do the trap thresholds work differently than the analysis thresholds?


  • 2.  RE: netflow trap alerts.

    Broadcom Employee
    Posted Jun 24, 2013 11:03 AM
    I noticed that this was still marked as "Waiting for Answer." Bob and I worked on a support issue for this. To answer the question about the difference between trap Alert thresholds and Analysis thresholds:
    RA Custom Reports (including Analysis) all use 15-minute data (From the DSA.) However, trap alerts use 1-minute resolution data from the Reaper service on the Harvester. The difference in time resolution means that Alerts can detect that an event has been generated or cleared before Analysis is aware of it.


  • 3.  RE: netflow trap alerts.

    Posted Jun 24, 2013 12:11 PM
    Yeah, but if the analysis shows a threshold violation, the 1-minute data should also show that violation. Your explanation could explain why you would see a trap but nothing in the analysis (because of the 15 minute averaging). What about the other way around?


  • 4.  RE: [.CA Network Flow Analysis] RE: netflow trap alerts.

    Posted Jun 24, 2013 01:33 PM
    That was why I asked the original question, we ran analysis reports and then created traps based on results of the analysis, we were not having any traps created when we expected 30 traps per day. Found that the interface was not staying above the threshold we had set for the whole 15 minute period, it would go above the threshold for 4 or 5 minutes then drop below the threshold for 1 minute, then above for another 4 or 5 minute. So for the analysis reports it was above the threshold for the 15 minute average. Since the traps look at each minute, we didn’t have any traps generated.

    From: CA Infrastructure Management Global User Community (eHealth/Spectrum/NetQoS) [mailto:CommunityAdmin@communities-mail.ca.com]
    Sent: Monday, June 24, 2013 11:11 AM
    To: mb.87772687.101275727@myca-email.ca.com
    Subject: [.CA Network Flow Analysis] RE: netflow trap alerts.

    Yeah, but if the analysis shows a threshold violation, the 1-minute data should also show that violation. Your explanation could explain why you would see a trap but nothing in the analysis (because of the 15 minute averaging). What about the other way around?
    Posted by:Stuart_Weenig
    --
    CA Communities Message Boards
    101278267
    mb.87772687.101275727@myca-email.ca.com<mailto:mb.87772687.101275727@myca-email.ca.com>
    https://communities.ca.com


  • 5.  RE: [.CA Network Flow Analysis] RE: netflow trap alerts.

    Posted Aug 07, 2013 11:26 AM
    Bob,

    Did you resolve this by changing the 'for x minutes' to a lower values for the trap definition?


  • 6.  Re: netflow trap alerts.

    Posted Jan 18, 2018 10:46 AM

    I could get alerts by lowering the number of minutes for a threshold to 2 or 3, so that means in a 15 minute period I would get 4 or 5 alerts. I want one alert if it is over the threshold for 15 minutes.