Baseline workflow and considerations
The following diagram shows a summary of the workflow of a
Baseline
function that uses
MaxAlgorithm
in its threshold calculations:
Choosing threshold multipliers
The high threshold is used in the determination of the condition which, when true, triggers the generation of an alert and, optionally, the execution of additional actions.
The low threshold is used in the rule to determine the clear condition, which—when true—triggers actions such as resetting the alert level.
At the end of the initial learning period and at the end of the continuous learning window, the
MaxAlgorithm
function calculates a single baseline value based on the smoothed data. In the
Baseline
function, you specify a high-threshold multiplier and a low-threshold multiplier to apply to this baseline value, resulting in the high threshold and the low threshold, against which datapoints are evaluated.
If you choose a low number for the high-threshold multiplier, smaller variations from the baseline trigger alerts, which can result in alerts being triggered for what might be normal fluctuations in data.
If you choose a high number for the high-threshold multiplier, the threshold might be exceeded less often, resulting in fewer alerts.
Effect of learning periods
Both the continuous learning window and the initial learning period are part of the look-back mechanism used by the
Baseline
function. These learning durations are used to determine how many datapoints to consider when calculating the baseline.
Using a period of time instead of specifying a number of datapoints is useful for situations in which knowing what a representative number of datapoints might be is difficult, but a representative amount of time is easier to estimate. However, getting enough data during the learning period to make a good calculation can depend on the length of the learning period and how typical the network conditions are when the agent is enabled.
Choosing a longer learning period enables the
Baseline
algorithms to distinguish important trends while ignoring temporary large fluctuations in data. Choose a learning period that is significantly longer than a situation that you would consider to be temporary for that kind of data.
For example:
If the agent is enabled at a time when network traffic is low and the initial learning period is 10 minutes, the thresholds that are calculated are based on that low traffic. When more users arrive two hours later and network traffic increases, the measured traffic quickly exceeds the threshold.
However, if you choose a learning period of one day, the "normal" fluctuations in traffic throughout the day are included in the baseline, resulting in thresholds that are appropriate to the situation.
Anomalies and baseline recalculations
Data that exceeds the high threshold is considered an anomaly.
If an anomaly occurred during the continuous learning window, all data points that occurred during the continuous learning window are ignored and thresholds are not recalculated. This design prevents the thresholds from being reset as a result of a temporary "spike" in data.
If no anomalies occurred during the continuous learning window, the
Baseline
function updates the thresholds based on the latest result provided by the
MaxAlgorithm
function.