Difference between revisions of "Event storm"
m (→Event storm properties: Move to Event storm page) |
m |
||
Line 1: | Line 1: | ||
+ | [[Welcome_to_Veloopti_help|Home]] > [[:Category:Administration|Administration]] > [[:Category:Event Administration|Event Administration]] > [[Storm events|Storm events]] | ||
+ | ---- | ||
+ | |||
== Overview == | == Overview == | ||
An event storm is ''a large number of informational, warning and exception events of the same type from one or more nodes over a relatively short period of time''. The events will appear in your Veloopti organisation either as individual events or as duplicates of events. The factors with detecting an event storm are the number of events that match the rule, called the ''Breach count'', and the time window that they are detected within, called the ''Breach duration''. | An event storm is ''a large number of informational, warning and exception events of the same type from one or more nodes over a relatively short period of time''. The events will appear in your Veloopti organisation either as individual events or as duplicates of events. The factors with detecting an event storm are the number of events that match the rule, called the ''Breach count'', and the time window that they are detected within, called the ''Breach duration''. | ||
Line 19: | Line 22: | ||
== Notifications == | == Notifications == | ||
Notifications will occur once with any new storm event or once with an increase of severity level. Therefore a storm event that is opened with a severity of information will initially send a notification when it is first opened. It will also send a notification if the severity is increased to warning and again if the severity is increased to exception. Whereas a storm event that is opened with a severity level of warning would not send a notification if the event decreased severity to information. However it would send a notification if the event severity increased to exception. A storm event that is opened as a exception would not notify if it reduces in severity to either warning or normal. | Notifications will occur once with any new storm event or once with an increase of severity level. Therefore a storm event that is opened with a severity of information will initially send a notification when it is first opened. It will also send a notification if the severity is increased to warning and again if the severity is increased to exception. Whereas a storm event that is opened with a severity level of warning would not send a notification if the event decreased severity to information. However it would send a notification if the event severity increased to exception. A storm event that is opened as a exception would not notify if it reduces in severity to either warning or normal. | ||
+ | |||
+ | |||
+ | [[Category:Events]] |
Revision as of 19:36, 3 September 2017
Home > Administration > Event Administration > Storm events
Contents
1 Overview
An event storm is a large number of informational, warning and exception events of the same type from one or more nodes over a relatively short period of time. The events will appear in your Veloopti organisation either as individual events or as duplicates of events. The factors with detecting an event storm are the number of events that match the rule, called the Breach count, and the time window that they are detected within, called the Breach duration.
Storm events have increasing levels of severity that come into effect by having an increasing breach count relative to the time window (breach duration) that they are received in.
2 Starting and ending the event storm
2.1 How event storms are raised
For the events that match the path of the event storm rule, each minute the following is performed. It does not matter whether they are new events or duplicate events.
- If the number of events that that are received over the exception breach duration are added together and exceed the exception breach count then an event with the severity level of exception is raised.
- If the number of events that that are received over the warning breach duration are added together and exceed the warning breach count then an event with the severity level of warning is raised.
- If the number of events that that are received over the information breach duration are added together and exceed the information breach count then an event with the severity level of information is raised.
2.2 Changing severity while the event storm is still active
Once a storm rule is breached the event storm will continue to be monitored in the same manner as above to see whether there is an increase in severity. If there is an increase in severity of the event the event is increased in severity and the relivent notifications are sent out. Storm events do not decrease in severity.
2.3 How event storms are ended
When the current event count for the path no longer exceed any of the informational, warning or exception breach thresholds over the breach durations the reset conditions can be evaluated. The reset breach count and durations are then checked in the same manner as the initial breach condition. If none of the reset conditions are met then the storm event can be closed. If one of the reset conditions are still being met then the storm event remains open with the pre-existing severity.
3 Notifications
Notifications will occur once with any new storm event or once with an increase of severity level. Therefore a storm event that is opened with a severity of information will initially send a notification when it is first opened. It will also send a notification if the severity is increased to warning and again if the severity is increased to exception. Whereas a storm event that is opened with a severity level of warning would not send a notification if the event decreased severity to information. However it would send a notification if the event severity increased to exception. A storm event that is opened as a exception would not notify if it reduces in severity to either warning or normal.