Monitors

Monitors in the Edge Delta web application.

  8 minute read  

Overview

There are 2 types of monitors:

  • alert-based monitors
  • agent-based monitors

Alert-Based Monitors

Edge Delta collects and analyzes logs and metrics via the Edge Delta agent to provide valuable insight about the monitored systems.

Alert-based monitors are a mechanism to notify you about significant changes in your system.

Alert-based monitors expose anomalous behaviors identified with seasonal data, such as:

  • Collective negative sentiment increase in system logs
  • Individual negative sentiment increase in individual system events
  • Correlated increase in agent signals from different individual source such as negative metrics hitting thresholds
  • Anomalies in system-wide monitored metrics

Review the following default alert-based monitors that are defined for each organization:

  • Pattern Check Alerts
  • Pattern Skyline Alerts
  • Correlated Signal Alerts

Agent-Based Monitors

These monitors focus on the status of the Edge Delta agent, such as an inactive agent. Based on the status of the monitored agent, a notification can be sent to all members of the Admin group.

Review the following default agent-based monitor types that are added to every new account:

  • agent-down Monitor
  • crashloop Monitor
  • agent-destination Monitor

Creating a Pattern Alert or Skyline Alert Monitor

You can create a pattern alert monitor to analyze a pattern’s behavior. If an anomaly is detected in the pattern, then the monitor will create a finding.

  1. Click Logs - Patterns.
  2. Select an agent tag and source type.
  3. Optionally select a corresponding source.
  4. Click Pattern Alert or Skylne Alert.
  5. Complete the form:
  • Name: Enter a descriptive name for the monitor.
  • Type: This field will be pre-populated with the type that you selected.
  • Filters: This field will be pre-populated with the tag and source type that you selected.
  • Group By: Select a data source to monitor. The listed data sources are based on the selected tag and source type.
  • Merge Level: Select an option to merge similar patterns together. As a result, based on the configuration you select, the list of unique patterns will be reduced. High indicates a higher probability of merging patterns that are similar. Low indicates a lower probability of merging patterns that are similar. As a result, with low, more unique patterns will display. None will not merge any similar patterns.
  • Minimum Proportion: Enter the minimum ratio between detected negative patterns and all patterns needed to trigger an alert. If the number you enter is less than the ratio of detected negative patterns versus all patterns, then this monitor will not alert. A high number indicates that fewer alerts will be generated.
  • Minimum Count: Enter the minimum amount of detected negative patterns needed to trigger an alert. If the number you enter is less than the number of detected negative patterns, then this monitor will not alert. A high number indicates that fewer alerts will be generated.
  • Delta Threshold: This option represents the difference between the number of negative patterns detected in the current lookback period versus the previous lookback periods. Enter the number of negative patterns detected in the current lookback period versus of previous lookback periods needed to trigger an alert. If the number you enter is less than the number of negative patterns detected in previous periods (offset, lookback period), then this monitor will not alert. A high number indicates that fewer alerts will be generated.
  • Anomaly Threshold: Enter the minimum anomaly score of a negative pattern needed to trigger an alert. If the number you enter is less than the anomaly score of a negative pattern, then this monitor will not alert. A high number indicates that fewer alerts will be generated.
  • Email Recipients: Enter an email address to receive notifications from this monitor.
  • Trigger Endpoints: Select an existing trigger integration or output to receive notifications from this monitor.
  • Suppression Window: After you receive an initial notification, you can use this option to pause notifications for similar alerts.
  • Timezone: Select a timezone that will be used as part of the timestamp in the notification.
  1. Click Save.

Reference

Alert-Based Monitors

Review the following monitor types.

Pattern Check (Pattern Alert)

This monitor:

  • Continuously processes collected event patterns with negative sentiment from multiple sources, and then
  • Notifies the anomalies in individual outlying events.

By default, configured agents that collect logs from different sources will send analyzed event patterns to the Edge Delta backend, which will be used by this monitor.

This monitor does not require any agent configuration to function.

To learn how to create a custom alert monitor, see Patterns.

Pattern Skyline (Skyline Alert)

This monitor type:

  • Continuously processes the collected event patterns with negative sentiment from multiple sources, and then
  • Notifies the anomalies in different types of events collectively.

By default, configured agents that collect logs from different sources will send analyzed event patterns to the Edge Delta backend, which will be used by this monitor.

This monitor does not require any agent configuration to function.

To learn how to create a custom alert monitor, see Patterns.

Correlated Signal Alerts

This monitor:

  • Continuously processes collected event patterns with negative sentiment from multiple sources, and then
  • Notifies the anomalies in individual outlying events.

In other words, if an usually high number of anomalies is detected, then a Correltated-Signal event will generate.

You can create this alert type in the Metrics - Anomalies page.

Custom Metrics

This monitor processes the cumulative value of a specific metric within a configured scope.

Instead of signals, this monitor processes actual metrics to define a scope-wide threshold with control.

While this monitor can be managed in the Monitors page, you can only create this monitor in the Metrics page.

To learn how to create a custom metric, see Metrics.

Agent-Based Monitors

Review the following default agent-based monitor types that are added to every new account. 

agent-down Monitor

Th agent_down monitor notifies users when an agent is inactive. 

The default alert will send an email to all members of the Admin group. 

crashloop Monitor

The crashloop monitor notifies users when an agent is crashing. 

The default alert will send an email to all members of the Admin group. 

agent-destination Monitor

The agent_destination monitor notifies users when a steaming destination cannot be reached. 

The default alert will send an email to all members of the Admin group. 

Instructions

Create an Agent-Based Monitor

To create a custom alert monitor, navigate to the Patterns page of the Edge Delta App, and then click Skyline Alert or Pattern Alert.

  • To learn how to create a custom alert monitor, see Patterns.

To create a custom metrics monitors, navigate to the Metrics page of the Edge Delta App.

  • To learn how to create a custom metric, see Metrics.
  1. In the Edge Delta App, on the left-side navigation, click Data Pipeline, and then click Monitors
  2. Click Create Monitors
  3. Under Enabled, mark Enabled to immediately activate the monitor.
    • Mark Disabled to keep the monitor off. You can enable the monitor at a later time. 
  4. Under Name, enter a descriptive name for the monitor. 
  5. Under Type, select a monitor type. 
  6. Based on the selected monitor type, review the following additional fields to complete. Afterwards, click Create Monitor

Additional fields for agent-down:

Field Description
Agent Unit Select the number of agents (count) or the percentage of agents (percentage) that must be down in order to trigger an alert. 
Agent Tags Select the tag of an agent configuration to add to the monitor.  
Email Recipients Enter an email address (or addresses) that should receive an alert. If you leave this field blank, then by default, only you (the creator of the monitor) will receive the alert. 
Trigger Endpoints Select a triggering output / integration to receive the alert. 
Suppression Window Specify a timeframe to pause notifications for similar alerts.
Timezone Select a timezone to display alerts. 

Additional fields for crashloop:

Field Description
Window Size Select how long Edge Delta should monitor a crashed agent before an alert is triggered. 
Threshold Select how many times an agent can crash within the configured Window Size before an alert is triggered.
Agent Tags Select the tag of an agent configuration to add to the monitor.  
Email Recipients Enter an email address (or addresses) that should receive an alert. If you leave this field blank, then by default, only you (the creator of the monitor) will receive the alert. 
Trigger Endpoints Select a triggering output / integration to receive the alert. 
Suppression Window Specify a timeframe to pause notifications for similar alerts.
Timezone Select a timezone to display alerts.

Additional fields for agent-destination:

Field Description
Minimum Agent Count Enter the minimum number of agents that must experience a streaming issues before an alert is triggered. You must enter at least 1.
Alert For Transient Mark true (or false) to trigger an alert when an agent experiences a transient failure, specifically when the streaming destination has had a failure in the past 10 minutes.  
Agent Tags Select the tag of an agent configuration to add to the monitor.  
Email Recipients Enter an email address (or addresses) that should receive an alert. If you leave this field blank, then by default, only you (the creator of the monitor) will receive the alert. 
Trigger Endpoints Select a triggering output / integration to receive the alert. 
Suppression Window Specify a timeframe to pause notifications for similar alerts.
Timezone Select a timezone to display alerts. 

Update an Existing Monitor

  1. In the Edge Delta App, on the left-side navigation, click Monitors, and then click Monitors.
  2. Locate the desired monitor, then under Actions, click the vertical ellipses, and then click Edit.
  3. Make your changes, and then click Save.