This entry is an update to the June 20 2007 article on Configuring Baselines.
After configuring the inner and outer sensitivities (Steps 4 and 5 in that article), several of the rules were still generating large volumes of alerts. Those rules include:
- IS Virtual Bytes is outside the calculated baseline
- Number of RPC requests is outside the calculated baseline
The alerts were identified as "Above Inner Envelope." To minimize their frequency, we previously changed both the rule and the monitor’s sensitivity from 2.81 to 3.31 on the overrides.
From reading up on this sensitivity concept, it appears that increases to this value decreases the frequency of the alerts, as it decreases the sensitivity to the difference from the calculated baseline.
In theory, if the 3.31 override was not sufficient, then one should next try 3.81; this is because the increase from 2.81 to 3.31 is an increase of .5; therefore another .5 increase seems logical if another value change is required. This is an extrapolation based on what we have seen so far, as we do not know the internal workings of the algorithm!
… Feedback received indicates the change to 3.81 was even better.