The Settings tab presents options for automatic monitoring (baseline alerting). To access this tab, go to ADMIN> Event Sources > Settings.
This workflow shows the overall process for configuring event sources.
You can set up policies and thresholds for your event source groups. You do this so that you can receive notifications when the thresholds are not met. NetWitness Suite also provides an automatic way to receive alarms, if you do not want to set up thresholds to generate alarms.
About Automatic Alerting
You can set up policies and thresholds for your event source groups. You do this so that you receive notifications when the thresholds are not met. NetWitness Suite also provides an automatic way to receive alarms, if you do not want to set up thresholds to generate alarms.
To trigger automatic alerts, you can use baseline values. This way, you do not need to set up numerous group thresholds and policies in order to receive alerts. Any anomalous amount of messages trigger alerts, without needing to do any configuration (except for turning on automatic alerting).
Note the following:
- Once you begin collecting messages from an event source, it takes the system approximately a week to store a baseline value for that event source. After this initial period, the system alerts you when the number of messages for a period are above or below the baseline by a set amount. By default, this amount is 2 standard deviations above or below the baseline.
- Base your high and low deviation settings on how "regular" your event sources behave. That is, if you expect little or no variance in the number of messages that arrive for a given time (for example, 8 to 9 am on a weekday), then you can set a low value for the Deviation. Conversely, if you often see peaks and valleys, set the Deviation value higher.
- If you enable a policy, but do not have any thresholds set, then you can still receive automatic (baseline) notifications, as long as you have turned on automatic alerting.
|1||Determines whether automatic alerting is on or off. By default, this option is selected (automatic alerting turned on)|
Determines whether notifications for automatic alerts are on or off. By default, this option is cleared (automatic notifications are not sent when automatic alerts are triggered)
The standard deviations below which to receive alerts. Default is 2.0 (95% confidence)
|4||The standard deviations above which to receive alerts. Default is 2.0 (95% confidence)|
When selected, this option stores event source counts per one-hour interval. The data that is collected is used to form the baseline values for each event source.
|6||Controls how much historical data (see Enable Aggregation Persistence) to maintain for each event source. The default value of 120 days means roughly 4 months of history is kept and used when reconstructing the basis for each event source|
When enabled, data about the behavior of the automatic alerting is stored to disk. The default value is Enabled.
The data retained includes baseline value over time and the alerting history for each event source. Note, however, the event source address and type is anonymized, so only your event rate information is revealed.
Since automatic alerting is a beta feature, this data is important to measure the efficacy of the feature. This can be disabled without affecting the automatic alerting functionality
|8||The Reset option discards any unsaved changes for all settings on the page.|
|9||Click Apply to save any changes you made to the values on the page.|
The Settings tab contains the following features.