Event storm

From Veloopti Help
Jump to: navigation, search

Home > Administration > Event Administration > Event storm


1 Overview

An event storm is a large number of informational, warning and exception events of the same type from one or more nodes over a relatively short period of time. The events will appear in your Veloopti organisation either as individual events or as duplicates of events. The factors with detecting an event storm are the number of events that match the rule, called the Breach count, and the time window that they are detected within, called the Breach duration.

Storm events have increasing levels of severity that come into effect by having an increasing breach count relative to the time window (breach duration) that they are received in.

2 Starting and ending the event storm

2.1 How event storms are raised

For the events that match the path of the event storm rule, each minute the following is performed. It does not matter whether they are new events or duplicate events.

  1. If the number of events that that are received over the exception breach duration are added together and exceed the exception breach count then an event with the severity level of exception is raised.
  2. If the number of events that that are received over the warning breach duration are added together and exceed the warning breach count then an event with the severity level of warning is raised.
  3. If the number of events that that are received over the information breach duration are added together and exceed the information breach count then an event with the severity level of information is raised.

2.2 Changing severity while the event storm is still active

Once a storm rule is breached the event storm will continue to be monitored in the same manner as above to see whether there is an increase in severity. If there is an increase in severity of the event the event is increased in severity and the relivent notifications are sent out. Storm events do not decrease in severity.

2.3 How event storms are ended

When the current event count for the path no longer exceed any of the informational, warning or exception breach thresholds over the breach durations the reset conditions can be evaluated. The reset breach count and durations are then checked in the same manner as the initial breach condition. If none of the reset conditions are met then the storm event can be closed. If one of the reset conditions are still being met then the storm event remains open with the pre-existing severity.

3 Notifications

Notifications will occur once with any new storm event or once with an increase of severity level. Therefore a storm event that is opened with a severity of information will initially send a notification when it is first opened. It will also send a notification if the severity is increased to warning and again if the severity is increased to exception. Whereas a storm event that is opened with a severity level of warning would not send a notification if the event decreased severity to information. However it would send a notification if the event severity increased to exception. A storm event that is opened as a exception would not notify if it reduces in severity to either warning or normal.