Disruption Queue

About the disruption queue concept in TrackMe

  • The disruption queue is a feature available for all components and all types of entities, this feature was made available in TrackMe 2.1.18.

  • This feature allows you to define a period of time in seconds that must be spent before an entity anomaly is considered.

  • The minimal disruption period is therefore a period of continuous time of disruption before we allow an entity to transition to an alerting state. (red)

  • During this intermediate state, the entity transitions to a blue state.

  • Once the disruption period is over, and if the anomaly persisted, the entity transitions to a red state.

  • The disruption queue can be leveraged to avoid or reduce the risk of false positives, with short life-time anomalies.

Setting up the disruption queue at the level of the Virtual Tenant (entities discovery)

The disruption queue can be configured at the level of the Virtual Tenant, this will apply to all entities discovered in this Virtual Tenant.

Hint

About setting up the disruption queue at the level of the Virtual Tenant:

  • If defined at the level of the Virtual Tenant, this disruption queue will be defined for all existing entities and entities to be discovered.

  • A given entity can still be updated to have a different disruption queue configuration, this will override the Virtual Tenant configuration.

disruption_queue_virtual_tenant_configuration01.png disruption_queue_virtual_tenant_configuration02.png

Setting up the disruption queue on a per entity basis

The disruption queue can be configured on a per entity basis through the TrackMe UI and the entity configuration page.

Hint

Entity level has precedence over Virtual Tenant level:

  • If defined at the level of the entity, this disuption queue will override the Virtual Tenant configuration.

  • If no configuration is defined at the level of the entity, the Virtual Tenant configuration will be used. (if configured)

disruption_queue_entity_configuration01.png

Flex Object specific: setting up the disruption queue at the level of the Flex Object tracker

Especially for the Flex Object component (splk-flx), you can define a default disruption queue for entities associated with this tracker:

disruption_queue_flex_object_tracker_configuration01.png

How does the disruption queue work?

This is quite simple, the disruption queue is counter which starts when an entity is meant to be in alerting state (red):

disruption_queue_how_it_works01.png

The entity has transitioned to a blue state:

disruption_queue_how_it_works02.png

Once this counter reaches the minimal disruption period, the entity will transition to red if the anomaly persists:

disruption_queue_how_it_works03.png disruption_queue_how_it_works04.png