After you create a baseline, you can configure anomalies to use with the information gathered in the dashboard. This allows you to receive alerts when events occur outside of the baseline.
Log in to the Sentinel Web interface as a user with the Manage Dashboard permission.
Click the desired dashboard under the dashboard heading, then click .
Click .
The Anomaly detection definition details screen is displayed.
Use the following information to create the anomaly definition:
Anomaly name: Specify a unique name for the anomaly.
Comparison type: Select and define the anomaly type. The options are:
Threshold: Provides a threshold for the events. If the events exceed the threshold, the anomaly is triggered.
Moving Average: Provides a comparison on the moving average of the events.
Ratio: Provides a comparison using the ratio of the events.
Historical: Provides a historical comparison of the events.
Baseline: Provides a comparison to an established baseline. You must have a custom baseline to use this option. For more information, see Section 5.4, Creating Baselines.
As per your requirement, you can select the Comparison type and specify the anomaly definition.
Anomaly description: Specify a description for the anomaly. The description is displayed in the anomaly event.
Anomaly state: Define the state of the anomaly by selecting any one of the following:
Always active: You can use this option to keep the anomaly definition active always and trigger when the specified anomaly definition is met.
Only active for selected days and times: You can use this option to define the specific times for anomaly definition to trigger. When you select this option, it displays a default time grid. You can change the time grid and specify different time periods for the same anomaly definition by holding the Ctrl key.
NOTE:The timing that is displayed in the time grid is the local time.
Notification information: Select the information to define the notification information.
Severity: Select the severity of the notification. The options are 0 to 5.
After this anomaly definition fires: Specify the notification time gap to send e-mail or events after an anomaly triggers.
Optionally send notification via e-mail after the anomaly triggers: Fill in the following fields to send an e-mail when the anomaly triggers.
E-mail address: Specify the e-mail addresses of the people who should receive notification when the anomaly occurs. Separate multiple e-mail addresses with commas.
Subject: Specify a subject for the e-mail.
Message: Specify a message for the e-mail to explain the anomaly that occurred.
Click .
Continue with Deploying an Anomaly Definition.
After the anomaly definition is created, it must be deployed to be applied to the dashboard.
In the Sentinel Web interface, click > , then select the dashboard where you created the anomaly definition.
Click .
The Anomaly detect screen is displayed.
Mouse over the anomaly definition you want to deploy, then click .
You receive a message that the anomaly definition was deployed.
To undeploy the anomaly definition:
In the Sentinel Web interface, click > , then select the dashboard where you created the anomaly definition.
Click .
Mouse over the anomaly definition you want to undeploy, then click .
Click again to verify that you want to perform this action.
You receive a message that the anomaly definition was undeployed.
You can perform the following management tasks on the anomalies:
In the Sentinel Web interface, click > , then select the dashboard where you created the anomaly definition.
Click .
Mouse over the anomaly you want to edit, then click .
Make any desired changes to the anomaly definition, then click .
In the Sentinel Web interface, click > , then select the dashboard where you created the anomaly definition.
Click .
Mouse over the anomaly you want to delete, then click .
Click Delete again to verify that you want to perform this action.