Baseline workflow and considerations

The following diagram shows a summary of the workflow of a Baseline function that uses MaxAlgorithm in its threshold calculations:

Illustration of data collection, data smoothing and threshold calculation

Choosing threshold multipliers

The high threshold is used in the determination of the condition which, when true, triggers the generation of an alert and, optionally, the execution of additional actions.

The low threshold is used in the rule to determine the clear condition, which—when true—triggers actions such as resetting the alert level.

At the end of the initial learning period and at the end of the continuous learning window, the MaxAlgorithm function calculates a single baseline value based on the smoothed data. In the Baseline function, you specify a high-threshold multiplier and a low-threshold multiplier to apply to this baseline value, resulting in the high threshold and the low threshold, against which datapoints are evaluated.

In effect, this strategy creates a "corridor" in which data can fluctuate without triggering alerts.

  • If you choose a low number for the high-threshold multiplier, smaller variations from the baseline trigger alerts, which can result in alerts being triggered for what might be normal fluctuations in data.

  • If you choose a high number for the high-threshold multiplier, the threshold might be exceeded less often, resulting in fewer alerts.

Effect of learning periods

Both the continuous learning window and the initial learning period are part of the look-back mechanism used by the Baseline function. These learning durations are used to determine how many datapoints to consider when calculating the baseline.

Using a period of time instead of specifying a number of datapoints is useful for situations in which knowing what a representative number of datapoints might be is difficult, but a representative amount of time is easier to estimate. However, getting enough data during the learning period to make a good calculation can depend on the length of the learning period and how typical the network conditions are when the agent is enabled.

Choosing a longer learning period enables the Baseline algorithms to distinguish important trends while ignoring temporary large fluctuations in data. Choose a learning period that is significantly longer than a situation that you would consider to be temporary for that kind of data.

For example:

  • If the agent is enabled at a time when network traffic is low and the initial learning period is 10 minutes, the thresholds that are calculated are based on that low traffic. When more users arrive two hours later and network traffic increases, the measured traffic quickly exceeds the threshold.

  • However, if you choose a learning period of one day, the "normal" fluctuations in traffic throughout the day are included in the baseline, resulting in thresholds that are appropriate to the situation.

Anomalies and baseline recalculations

Data that exceeds the high threshold is considered an anomaly.

If an anomaly occurred during the continuous learning window, all data points that occurred during the continuous learning window are ignored and thresholds are not recalculated. This design prevents the thresholds from being reset as a result of a temporary "spike" in data.

If no anomalies occurred during the continuous learning window, the Baseline function updates the thresholds based on the latest result provided by the MaxAlgorithm function.