Operation Manager 0.27.0 (full version)
 
Table of Contents
Start
Table of Contents
1. Conventions
2. General information about David system
3. Terminology
4. Installation
5. Operation Manager requirements
6. Installation
7. General information
8. Graphic Notifications Server (dgnsd)
9. Sound Client (sndc)
10. Access to the SNMP Trap Interface (damsnmpti)
11. SNMP Trap Analyser (damsnmptaud)
12. Access to the SNMP Data Interface (damsnmpdi)
13. SNMP Data Analyser (damsnmpdaud)
14. Cases Database Unit (damadbud)
15. Cases Service Unit (damcsud)
16. Buttons the most often used in Web applications
17. Recorded Operation Browser
18. Pending Operation Browser
19. Graphic Notifications Presenter (xdgnp)
 
 
 
 
 Prev Chapter 13. SNMP Data Analyser (damsnmpdaud)  Next
 
 

13.6. Description

When the agent, which waits for messages from network clients, receives an UDP packet then checks its IP address. In this case .known.hosts file is processed. If .known.hosts file can't be opened to read or an IP address of a client doesn't match any record in this file, the UDP packet is dropped. No authorization is made for local clients.

Processing of the next accepted item is begun with checking whether processed data exists in SNMP Data Analyser Database. Two any items are the same then and only then when their identifiers (i.e. damsnmpdi receives that identifier as an argument of option -I) are equal. If it doesn't exist, it is stored in the Database with the started values such as: creation and modification time, number of appearances etc. If the item has already occurred in the Database, its modification time and a counter of appearances is updated. If the item is error or timeout type, a counter of appearances is increased and then data is put to a procedure which sends it to the output of SNMP Data Analyser. When the item is counter type, increase of value of this item is calculated since last modification of that data. In this case that increase is tested in further procedures instead of a real value. When the item is gauge type, a real value of that data is tested. Then, if specific data appear, information about the message can be sent to output of SNMP Data Analyser.

An item may be dropped before actualization of appropriate item in the Database when specific conditions occur. It takes place when an identifier of a sender of the item is different then an actual sender of it. After some amount of occurring of such item (an argument of --snmpdf-sender-delay-max option), while an actual sender is still silent, an identifier of a new sender will be assigned to this item.

Next step in processing of an item is comparing its value with a window of average values for this data. If its value is lower then minimum limit of that window or greater then maximum limit of it, the item is passed to the procedure which sends data to output of SNMP Data Analyser.

The balancing procedure is run independently of received and processed data. It checks whether balancing process should be run for a given item (fixed limits of a window of average, i.e. accepted, values may be set for any data and that limits will never be changed). The balancing process will be repeated for that item if specified time is elapsed since the last balancing procedure for that item. At the first balancing procedure, limits of a window of average values (window_min, window_max) are calculated according to the following formula:

delta = (max - min) * (1.0 - len) / 2.0 * factor

window_min = min + delta

window_max = max - delta

where max is a maximum value of processed item since its beginning, min is a minimum value of that item. Parameter --snmpdf-average-len option of damsnmpdaud and factor is an argument of --snmpdf-balance-factor option of it. During next balancing procedures, limits of a window of average values are calculated as follows:

delta1 = (window_max - window_min) * ((1.0 - len) / 2.0 - hits_min / hits_after_balance) * factor

delta2 = (window_max - window_min) * ((1.0 - len) / 2.0 - hits_max / hits_after_balance) * factor

window_min = window_min + delta1

window_max = window_max + delta2

where hits_min is a number of appearances of values below minimum limit of a window of average values since the last balancing procedure and hits_max is similarly a number of appearances of values above maximum limit of a window of average values. Parameter hits_after_balance is a number of appearances of this data since the last balancing procedure. After updating of limits of the window, the hit counters of particular ranges are reset and counter of all hits since the last balancing procedure is reset too.

The procedure which sends data to the output of damsnmpdaud, checks (when sending data is other type then timeout or error) whether the balancing procedure has occurred a specified number of times for that item (when autobalance is on for that data). If that verification is succeeded and when autobalance is on for this data and it is not timeout or error type, then it is checked whether limits of the window of average values are exceeded significantly. Value of a given item is below a specified level for that item when its identifier matches to some defined object of level type (i.e. all strings of name fields in this objects are included in this data identifier) and arithmetical average of limits of a window of average values for that data and absolute value of its value are lower then value of that level object. In order to check whether the value exceeds a limit of a window of average values for that item, a following value is calculated:

window_min * min_severity_factor

when a value of data is below minimum limit of a window of average values and it's counter type or:

window_min - (window_min - min) * min_severity_factor

where a value of data is below minimum limit of a window of average values and it's gauge type, and according to a formula:

window_max + (window_max - window_min) * max_severity_factor

where a value of data is above maximum limit of a window of average values. Parameter min_severity_factor is an argument of --snmpdf-min-severity-factor option of damsnmpdaud and max_severity_factor is an argument of --snmpdf-max-severity-factor option. In two first cases the item won't be sent when its value is greater or equal calculated quantity. In the last case the item won't be sent, when its value is lower or equal calculated quantity.

When the item isn't dropped by the sending procedure, its severity is calculated and the item is sent to output of damsnmpdaud. A typical receiver of such messages is Associations Database.

The procedure that estimates severity of items takes only an identifier of message into consideration (i.e. damsnmpdi receives that identifier as an argument of -I). That identifier is unique in all Operation Manager. An initial severity of item is set to zero. Next for each item from the configuration file is checked whether string after string= keyword is included in an identifier of a processed item. If yes, a maximum value, assigned to string item, is taken into consideration. That value is added to current calculated severity of the item. At last the calculated severity of item is divided by number of objects of group type which are defined in the configuration file. When the item is neither timeout nor error type, it will be calculated about how many percent a limit of a window of average values will be exceeded in the ratio to extreme values. An extreme lower value is minimum of two numbers: the smallest value that has occurred for that item or zero.

For a value below the window, the severity is calculated as follows:

factor * (1.0 - (x - min) / (window_min - min))

or

factor * (1.0 - (x - min) / (max - min))

where x is a processed value, window_min is a minimum limit of the window of average values and min is a minimum while max is maximum limit of a value. The parameter factor is an argument of --snmpdf-severity-growing-factor-4min option. The value is counted according to a second formula when a length between window_max and window_min is less then 1% of a length between max and min.

For a value above the window, the severity is calculated as follows:

factor * (1.0 - (max - x) / (max - window_max))

or

factor * (1.0 - (x - min) / (max - min))

where x is a processed value, window_max is a maximum limit of the window of average values and max is a maximum while min is a minimum limit of a value. Parameter factor is an argument of --snmpdf-severity-growing-factor-4max option. The value is counted according to a second formula similar as the value below the window. The severity is limited to one. At the end the severity gets a negative sign.

The servised procedure of the Database is run every some period of time and it deletes data which from some period of time (an argument of --snmpdf-ttl seconds option) wasn't updated (modified). Only this data will be modyfied which has got an attribute allowing to this operation.

 
 
 Prev Up  Next
13.5. File format of minimal levels definitions  13.7. Related articles