A data stream is any collection of data from one data source. The source determines the type of data stream and, therefore, what type of threshold is applicable. Data sources can be either continuous or discrete:
In this chapter, we are not using the terms continuous and discrete in a strict mathematical way. We are using the terms to distinguish data that changes on a relatively continuous basis (no digital computer-based data is truly continuous) from data that has a discrete set of possible values.
One way to distinguish one class of data from the other is to consider graphing the data over time. Lines or curves can validly connect the values for continuous objects as the data represents change over time. Discrete objects cannot be plotted in the same way because their values are distinct and should be represented as the state of the object at a given time.
Continuous data can be represented using two methods:
Averages or rates are sometimes calculated as moving averages. There are several different types and methods of calculating moving averages. The type of moving average that Cisco IOS uses is known as a five-minute, exponentially decaying, weighted moving average. The method for calculating this form of a moving average is explained on Cisco's Web site: http://www.cisco.com/warp/customer/66/3.html.
There are two different algorithms for checking thresholds on continuous data. The simplest algorithm checks the threshold against the value of the object. This algorithm is useful for objects such as gauges or anywhere you are interested in the actual value of the object. Since these thresholds operate against the absolute value of continuous objects, we call these absolute continuous thresholds.
The other algorithm involves calculating the delta value of an object over a given time period by sampling the object twice and subtracting the second sample from the first. This algorithm is useful for counter-type objects or when you are interested in how much the object changed over a time period. We call these thresholds delta continuous thresholds.
Discrete data can be represented as different text messages or as a series of values, each with a defined meaning, also known as an enumerated object. A boolean object is a special case of an enumerated object where the possible values are limited to two, one representing true and another representing false.
An overview of SNMP data types, including counters and gauges, is covered in the "SNMP Object Types" section of Chapter 8, "Understanding Network Management Protocols."
Table 5-1 shows the relationships between the different data sources and the trigger types that can be applied against them. The next two sections cover each of these types of data sources and their associated trigger types in detail.
Configuring Events for Continuous Data Sources
Continuous data sources present a continuously changing curve of values. Examples of continuous data sources include
These data sources are sampled at some rate to produce a data stream.
The type of trigger applicable to continuous data sources is a continuous threshold. This threshold type generates an event when the most recent value in a continuous data stream becomes interesting, such as when a device's CPU utilization exceeds 90 percent or the temperature of your tropical fish aquarium goes below 72 degrees Fahrenheit. You probably want to know when things are back to normal as well as when they exceed your threshold. Thus, you need to trigger events both when the data stream rises across your threshold values and when it falls across your threshold values. The values of 90 percent for CPU utilization and 72 degrees for the aquarium are the points at which the data stream becomes interesting and, therefore, are the values you assign to the threshold. The values are known as the threshold set points.
Another example of the use of a continuous threshold is detecting when the utilization on an interface exceeds a reasonable limit. Let's use an example of monitoring one of your WAN links for high utilization. As described in Chapter 12, "Monitoring System Interfaces," you can choose the object ifInOctets to monitor the incoming utilization on that link. This object, ifInOctets, is from the ifTable in MIB II, where it is defined as a counter, so you will need to use a relative threshold. If you set a threshold at 80 percent, an event will be generated every time the data stream crosses this threshold in either direction.
Configuring Events for Discrete Data Sources
Discrete data sources present data that can have several discrete states. Examples of discrete data sources include
Discrete data streams are derived from discrete data sources by recording the time at which the source changes state.
Examples of discrete data streams include the time(s) when
Discrete data can be represented by data types, including enumerated data, Boolean data, or text data fields with a fixed range of text values or states. Chapter 8 goes into detail about these data types.
Often, discrete data is collected as the state of the source at a particular time. Because the interesting information in this data stream is when the state changes, this data stream can be reduced to the times at which the state changed and the new state of the source. These state changes can be treated directly as faults, but they usually should be filtered to determine which are interesting.
To set a discrete event, you specify one or more states and whether an event is to be triggered if the object equals one of the states or if it does not equal any of the states.
It is sometimes possible to use a continuous threshold on discrete data. An example of using a continuous threshold on a discrete event is detecting PVC status on an ATM network. "Setting Continuous Thresholds On Discrete Objects" (later in this chapter) discusses this in detail.