How to set alerts with rule type "Spike" - sample use case

Modified on Fri, 16 Mar, 2018 at 8:25 AM

Comparing too many open connections to application server from current time window to previous time window

Usecase

Compare current time window with previous time window and get the list of IP addresses which has too many connections to an application server that passes the threshold.

Notification Types: Email

User Inputs

Please find the below image for setting up alerts in Skedler-Alerts

Note:

"excludes" option in previous time window will exclude the current time window of 1 hour
"includes" option will include the current time window 1 hour

Notification received via Email

Hi,

Alert has been triggered for alert "Too many Open Connection" on 19-03-2017 15:55:00 IST

Time Window - Mon Mar 27 2017 14:55:00 IST - Mon Mar 27 2017 15:55:00 IST

Data generated from Mon Mar 27 2017 14:55:00 IST to Mon Mar 27 2017 15:55:00 IST

srcIp	ServiceType	count
113.216.114.191	Tcp	35
18.21.09.1	http	12

Data generated from Sun Mar 26 2017 14:55:00 IST to Mon Mar 27 2017 14:55:00 IST

srcIp	ServiceType	count
113.216.114.191	Tcp	16

Final Result

srcIp	ServiceType	Current Time Window count	Condition	Previous Time Window Count
113.216.114.191	Tcp	35	2 times more than	16

Thanks

Explanation

Parameters configured will be replaced as follows:

${AlertName} - Too many Open Connection
${TimeStamp} - 19-03-2017 15:55:00 IST
${TimeWindow} - Mon Mar 27 2017 14:55:00 IST - Mon Mar 27 2017 15:55:00 IST

Note - For additional parameters, refer How to setup merge parameters for alert action?

Conclusion

Below table shows the list of IP addresses which passes the threshold value 10 and is ts 2 times more than the current time window to previous time window

srcIp	ServiceType	Current Time Window count	Condition	Previous Time Window Count
113.216.114.191	Tcp	35	2 times more than	16