Breach Predictor and Adaptive Rules
This page has been deprecated. It may contain information that is out of date. Please see Gateway section of Geneos Home Page.
Intended Audience Copied
This document is a reference guide and is aimed at all users of the Geneos monitoring system. It is expected that readers will have some familiarity with the Geneos product or have read the relevant “getting started” guides.
Introduction Copied
The document describes the time series driven features introduced in Gateway2. These comprise Time Series, Breach Prediction and Adaptive Rules. The features described in this document are only available in Gateway 2 version 2011.2 or later.
Time Series Copied
Time Series model a day’s worth of data and are read by the gateway from a user defined database. These models can then be used as part of Adaptive Rules and Breach Prediction functionality. Time series are configured inside data sets. Data sets represent a placeholder for different kinds of data collected by the gateway. Currently, they have only time series as a type. Full details of the configuration options for this are found in the Time Series section.
Breach Prediction Copied
A breach is defined as reaching or crossing a maximum tolerable threshold value for any entity or configurable variable in the gateway. Intra-day Threshold Breach Prediction or simply Breach Prediction as it is often called is a feature that allows the user to do breach prediction calculation for any particular or set of variables. This prediction is done based on the model data supplied by the user and logged to the database. As the name suggests, Intra-day Breach Prediction currently does the prediction based on only one day’s worth of data. The user can use the predicted information in a rule to be alerted well in advance if a breach will occur, so that he/she can take appropriate steps. This feature is available by configuring a Gateway plugin sampler. Full details of the configuration options for this are found in the Breach Prediction section.
Adaptive Rules Copied
Adaptive Rules allow Time Series to be used in rule calculations. This means that rules can be “adaptive” based on prior knowledge of the daily variations in the data it is applied to.
Examples include a moving threshold during the day to deal with spikes of traffic at known intervals or ensuring that a value stays within a safe zone during the day. Full details of the configuration options for this are found in the Adaptive Rules section.
Time Series Copied
Basic Configuration Copied
To create a time Series, select the Data sets from the left-hand side in GSE and click on New Time Series.
Time series data is stored in the geneos database in two optional tables. The table names are time_series_user_table and time_series_data_user_table. The schema for these tables is available in the gateway resources directory provided as part of the gateway bundle.
The time_series_user_table stores a set of names and unique IDs. The names are used to map the names of the time series defined in the gateway setup to the IDs used in the time_series_data_user_table. Both name and time_series_id should be unique in this table.
The time_series_data_user_table stores the time series data. There are 3 values per row;
- time_series_id: The ID used to link the data back to the name in the time_series_user_table
- start_time: The start time for the value of a point in the time series data. This time is in seconds since the start of the day
- value: The value of the time series at the start_time
The data is read from the database at gateway start time and at the reload time defined in the setup. It is up to an external process to maintain and update the timeseries tables. This can be controlled using the gateway scheduled command.
Data Sets Copied
Data Sets are a placeholder for different kinds of data collected by the gateway. Currently, they have only time series as a type.
Mandatory: No
timeSeries Copied
Time Series model a day’s worth of data uploaded from the database. The model values can then be used as part of Adaptive Rules and Breach Prediction functionality.
Mandatory: No
timeSeries > name Copied
The name specifies a name that the user wants to identify each time series with.
Mandatory: Yes
timeSeries > description Copied
The description specifies additional information about the time series. One can enter multi-line comments in the description field.
Mandatory: No
timeSeries > external Copied
This specifies the database external settings.
timeSeries > external > reloadTime Copied
The reload time specifies the time of the day that data should be uploaded from the database every day. For this, the time series name should corresponds to one of the database tables configured by the user.
Mandatory: No (Default value is the current time during time series creation).
Breach Prediction Copied
Configuration View Copied
Once created, the Gateway-breachPredictor Plug-in has an empty predictor. A predictor is a logical grouping of data view cells for which breach prediction is to be done. One can create as many predictors as one wants to. The Breach Predictor Gateway Plugin must have at least one predictor configured.
Clicking on ‘Add new’ link presents the configuration options for a predictor. Every predictor presents a Name, a Target, a Threshold value, a Prediction Function to be selected and a Time Series that one wished to use as a model value for the breach prediction calculation.
The rest of the settings for the Breach Predictor Gateway Plugin remain same as any other Gateway Plugin.
Predictor Settings Copied
The settings below define the Gateway-breachPredictor Plugin predictor.
predictors > predictor Copied
A Breach Predictor Gateway Plugin predictor is a logical grouping of the Gateway Data View cells for which one wishes to do breach prediction calculation. One can create one or more predictors for the Breach Predictor plugin.
Mandatory: Yes (at least one predictor must be configured per breach predictor gateway plugin)
predictors > predictor > name Copied
The name specifies a name that the user wants to identify each predictor with. Each predictor name should be unique across a breach predictor gateway plugin. The name must not be empty else it will appear as a validation error in the GSE.
Mandatory: Yes
predictors > predictor > target Copied
Specifies an xpath name or the data items that this predictor applies to. See Xpaths User Guide for more information on xpaths.
Mandatory: Yes
predictors > predictor > threshold Copied
Specifies a threshold value that is to be used for breach prediction calculation. The threshold value must be a valid double value otherwise the predictor will be ignored. The threshold is used as an upper limit value for breach prediction calculation. Currently, there is no way to provide a lower limit threshold value for breach prediction calculation within a particular range. The threshold can be a positive or negative value.
Mandatory: No
Default: 0.0
predictors > predictor > predictionFunction Copied
The prediction function specifies which prediction function is to be used for prediction calculation. The drop down provides 2 values.
Mandatory: No
Default: Linear
| Value | Effect |
|---|---|
| linear | Linear function is used for breach prediction calculation |
| percentage | Percentage based function is used for breach prediction calculation |
predictors > predictor > predictionFunction > linear Copied
Linear based prediction is one where the predicted values of the cell will follow a graph which simulates the slope (or gradient of the actual cell values).
Example: If the current value of cell is 5.00, the current time is 9:00 and actual values are as given in second row below, then the predicted values of the cell will be as given in third row below.
With a threshold value specified as 25.00 the breach will be predicted to occur at 11:00, in 2 hours’ time.
| Time of Actual Value | 9.00 | 10:00 | 11:00 | 12:00 | 13:00 | 14:00 | 15:00 | 16:00 | 17:00 |
| Actual Values | -10.00 | 0.00 | 10.00 | 20.00 | 30.00 | 40.00 | 30.00 | 20.00 | 10.00 |
| Predicted Values | 5.00 | 15.00 | 25.00 | 35.00 | 45.00 | 55.00 | 45.00 | 35.00 | 25.00 |
predictors > predictor > predictionFunction > percentage Copied
Percentage based prediction is one in which prediction is based on the percentage difference between the actual value and current value of the cell. The prediction cannot be done if the current value of cell is zero.
Example 1: If the current value of cell is 20.00, the current time is 9:00 and the actual values are as given in second row below, then the predicted values of the cell will be as given in third row below.
With a threshold value specified as 100.00 the breach will be predicted to occur at 13:00, in 4 hours time.
Example 2: If the current value of cell is -15.00, the current time is 9:00 and actual values are as given below in second row, then the predicted values of the cell will be as given below in third row.
With a threshold value specified as 20.00 the breach will be predicted to occur at 16:00, in 7 hours time.
| Time of Actual Value | 9.00 | 10:00 | 11:00 | 12:00 | 13:00 | 14:00 | 15:00 | 16:00 | 17:00 |
| Actual Values | 10.00 | 20.00 | 30.00 | 40.00 | 50.00 | 60.00 | 70.00 | 80.00 | 90.00 |
| Predicted Values | 20.00 | 40.00 | 60.00 | 80.00 | 100.00 | 120.00 | 140.00 | 160.00 | 180.00 |
| Time of Actual Value | 9.00 | 10:00 | 11:00 | 12:00 | 13:00 | 14:00 | 15:00 | 16:00 | 17:00 |
| Actual Values | -30.00 | -20.00 | -10.00 | 0.00 | 10.00 | 20.00 | 30.00 | 40.00 | 70.00 |
| Predicted Values | -15.00 | -10.00 | -5.00 | 0.00 | 5.00 | 10.00 | 15.00 | 20.00 | 35.00 |
predictors > predictor > timeSeries Copied
Specifies a time series that is created in the data sets. The drop down shows a list of all the time series that have been created in the data sets.
If the user does not select any time series, then the corresponding rows in the Breach Predictor Data View state that the time series is non-existent and no prediction is done. The prediction is done only if the time series is valid and has data points updated from the database.
Mandatory: Yes
Data View Copied
Upon configuring a valid breach predictor gateway plugin, a data view appears for the plugin. The data view displays as many rows as the total number of data view cells that have been configured through xpaths in all the predictors for that breach predictor gateway plugin.
Row variables (Single row per data item):
Table 1 Breach Predictor Data View Row Variables Description
| Variable Name | Description |
|---|---|
| Id | Unique identifier for this cell. Prepends Predictor name for identifying which predictor it belongs to. |
| componentType | The directory component type of this dataitem. One of gateway, probe, managedEntity, sampler, dataView, cell. |
| probe | The probe for this dataitem. |
| managedEntity | The managed entity for this dataitem. |
| sampler | The sampler for this dataitem. |
| dataview | The dataview for this dataitem. |
| cell | The cell for this dataitem. |
| type | The configured type for this dataitem. |
| currentValue | The value for this dataitem (in double) |
| thresholdValue | Threshold value provided in the predictor |
| timeSeries | Name of the time series used as a model value for breach prediction calculation. |
| timeToBreach | The predicted time to Breach. Blank in case the cell value is not expected to breach or if the prediction cannot be done. |
| timeOfBreach | The predicted time of Breach. Blank in case the cell value is not expected to breach or if the prediction cannot be done. |
| description |
Information about the breach (One of Breached,
Will Breach, No Data, No Prediction or Error:
Non-existent Time Series).
No Data will appear if there are no values in the model time series or the current time is beyond the range of time for which the model values are present. No prediction will appear if the prediction function is percentage-based, and the current value of cell is zero. In which case breach prediction cannot be done. |
Adaptive Rules Copied
Introduction Copied
The term Adaptive Rules refers to the ability to refer the current value of a time series from rule logic.
The following shows a rule referring to a time series defined as “maxCpu”. According to the rule logic, if the value of the rule target goes above the value of the time series at that point in time then severity is set to critical.
A time series will typically be created using historical data pertaining to certain managed variables. In the above example, the time series “maxCpu” might have been created using historical data gathered on the rule target itself. Hence in effect the rule is comparing the current behaviour of the value to its historical behaviour. See the Time Series section for more information about creating a time series.
Multiple Time Series Copied
A rule can typically refer to multiple time series.
In the above example high and low thresholds for both warning and critical severity have been defined as time series. Typically such time series would have been generated by running different functions on the same historical data.