Example of baselines in a time series graph
The following is an example the time series graph for a monitor that includes baselines:
The initial learning time is one minute.
There are no default thresholds.
In this graph:
The green line is the raw data.
The orange line is the high threshold as calculated by the baseline.
The blue line is the low threshold as calculated by the baseline.
The events in the timeline are as follows:
At 20:32:30, an agent is created and enabled. The baseline enters the learning state. Because the script did not specify default thresholds, there are no thresholds defined. In the graph, just the green line for the raw data is displayed.
At 20:33:30, the baseline exits the learning state and enters the active state:
The high threshold and the low threshold calculations are completed.
The graph begins the display of the orange line for the high threshold and the blue line for the low threshold.
The agent will generate an alert when the monitored traffic rate (in packets per second) exceeds the high threshold.
The agent will clear the alert when the monitored traffic rate (in packets per second) drops below the low threshold.
At 20:37:33, an alert is triggered because the monitored traffic rate exceeds the high threshold.
At 20:39:15, the alert is cleared because the monitored traffic rate (in packets per second) is lower than the low threshold.
At 20:40:30, the thresholds are updated.
In this case, the thresholds are set significantly higher because the algorithm includes all the data in its continuous learning window, which included the time in which the traffic rate was much higher than the previous threshold.
If the script specified a longer initial learning time, such as one day, the calculations used to create the thresholds can include the typical fluctuations in data that can occur, resulting in more appropriate thresholds and alerts that trigger only for significant anomalies.