9.3. Threshold crossing alerts (TCAs)

You can assign thresholds to any meter value. Trisul continuously monitors the value of the traffic meter against the configured thresholds and generates a “Threshold Crossing Alert” if the value crosses the thresholds.

TCA Email Alerts intelligently pull up the following relevant pieces of information and include them in the email. Top Hosts, Top Apps, Top Flows, and Top Conversations related to the alert.

9.3.1 How it works

The two knobs you use are Watermarks and Sustained Intervals.

Watermarks
You assign Hi-Water and Lo-Water marks to the meter value you want to keep an eye on. These are absolute values and not a percentage such as bandwidth utilization. When the meter value crosses the Hi-Water mark it is treated as a FIRED event and when it crosses the Lo-Water mark, it is treated as a CLEAR event.
Sustained Intervals
To prevent flapping of alerts due to meter value fluctuating around the watermarks, you can also specify a number called Sustained Interval. If you specify a sustained interval of 3, then the meter value has to be above/below the watermarks for 3 consecutive time bucket intervals (by default 30s) before the corresponding FIRE or CLEAR alert is fired.

The following picture illustrates this. Here we are setting up a TCA for :

  • If value of meter exceeds 100Kbps for 3 consecutive intervals – we FIRE a TCA
  • If value of meter drops less than 80Kbps for 2 consecutive intervals – we CLEAR a TCA

Note that :

  1. The TCA does not fire in the zone between HI and LO water marks
  2. The TCA fires only once even when multiple consecutive values are over the HI water mark
  3. For a TCA to fire again, the values have to dip below the LO water mark and re-cross the HI water threshold again

9.3.2 Configuring

Creating a new TCA based on Counter group

Select Alerts → Thresold Crossing Alerts → configure TCA

or you can create Thresold Crossing Alerts per probe.

Login as admin user to create Thresold Crossing Alerts

Select Context : default → profile0 → Thresold Crossing Alerts → configure TCA
  1. Click New Threshold Crossing Alerts , which leads to the page whose fields are described below
FieldName Description
Name The name of the TCA – this must be unique
Target The target counter group.
TargetKey The key within the target counter group on which you want to create a TCA. You can enter this in either human readable format eg:Port-80, 192.168.1.33 or in Trisul key format: p-0050, C0.A8.00.01
Stat ID Meter within the counter group
Hi Water Mark High threshold mark (Eg: 10Mbps, 6Kbps, 2000 (default units = bytes/sec)
Hi Water Sustained Intervals TCA triggered if over Hi Water for this many intervals
Lo Water Mark Low threshold mark
Lo Water Sustained Intervals TCA cleared if below Lo Water for this many intervals
Config String Leave this blank
TCA Message When the TCA fires or clears, this message is emitted. You can see this message on Trisul UI modules and on email alerts

9.3.3 Example

This example creates a TCA when DNS traffic crosses 1.2Mbps and clears when it drops below 600Kbps

Name The name of the TCA – this must be unique
Target The target counter group.
TargetKey The key within the target counter group on which you want to create a TCA. You can enter this in either human readable format eg:Port-80, 192.168.1.33 or in Trisul key format: p-0050, C0.A8.00.01
Stat ID Meter within the counter group
Hi Water Mark High threshold mark (Eg: 10Mbps, 6Kbps, 2000 (default units = bytes/sec)
Hi Water Sustained Intervals TCA triggered if over Hi Water for this many intervals
Lo Water Mark Low threshold mark
Lo Water Sustained Intervals TCA cleared if below Lo Water for this many intervals
Config String Leave this blank
TCA Message When the TCA fires or clears, this message is emitted. You can see this message on Trisul modules and on automatically emailed reports

9.3.4 Viewing TCAs

There are two methods to view TCAs.

Method – I

  • Add the Threshold Crossing Alert module to any dashboard

This module auto updates itself as new TCAs are generated. You can add this module to any dashboard position.

How to add modules to dashboard

Method – II

Select Alerts → Threshold Crossing Alerts → Fired Alerts
  1. You will now see a table listing all the alerts
  2. Clicking on the number seen under the Count column of an alert takes you to a more detailed view of the alerts

9.3.5 Deleting TCAs

The default approach of Trisul is not to delete anything. TCAs just rollover as they age out. Yet if you wish to explicitly delete TCAs you can use the following steps :

Select Alerts → Threshold Crossing Alerts
  1. Click the Delete all icon under each TCA to delete it
This deletes all the alerts fired under that TCA , but not the TCA itself

9.3.6 Automatically emailing TCAs

There are two types of email reports you can use for notifying these TCA alerts.

Real time email

Configure Email Alerting for real time alerts.

Periodic email digest

You can schedule a Threshold Crossing Alert report which will automatically email you a list of TCAs that fired on a hourly or daily basis.

  1. A single consolidated email is sent out containing details of all TCAs
  2. No email is sent out if there are no TCAs to report