Question 2: Fixing False Positives

These are great steers on why we always discuss with our clients the need to:

1. Baseline - set a period of data collection, so you can see what your norms are. For the CPU example above, is it standard behaviour for a server to run at 83%, which under normal alert settings (see next point) would generate an alert. If so learn and adapt your thresholds
2. The out of the box alerts are GENERIC, they are not purpose designed for you as an individual customer. Review the alerts provided and then make them work for you and your needs
3. Don't forget thresholds can work in both directions. I had a customer only last week that were complaining about alerts being generated on Linux Cache volumes. "I get an alert it is 100% as soon as I add a new Linux server". Well yes, as the default alert says it should do so. Do you need to monitor your cache volumes? Change the thresholds from Critical being '> 90' to '< 98'
4. Identify what you are actually going to read and DO SOMETHING ABOUT. If you look at an alert and say 'that is good to know', it is a report and not an alert. Go configure reports to provide you this information and you will also find you get much more benefit with all the supporting data and information you can inject in to it

Nice Post Leon

Mark

Yes to all of this.

And to the managers reading, the point here is two-fold:

1) "salt to taste" is for more than cooking. Adjustments and customizations are necessary to make monitoring fit your organization. That means everything from thresholds to scan schedules to alert flow. Everything needs to be considered and calibrated to the goals and needs of your business. Your team (the technical folks) can do the work, but they can't do it right if you, the business leader, don't provide a clear idea of what those business goals area.

2) Ask "Then what" until you get to meteors. What I mean is to keep asking your team questions like: "after the system does that, what happens next?" Keep pushing out the boundaries of what monitoring is able to both accomodate and resolve. Eventually you'll get to a point where the team says "well, at that point we're covered against anything except a meteor hitting the facility" (or something like that type of response) and you can stop.

When I work with newer monitoring teams, I mention how monitoring can often fall into the trap of the story of 'The Boy who cried Wolf'. When you get false positives and these create emails in your platform, not only are they in themselves useless, but the bring down the psychological importance of the rest of the monitoring emails. After the 10th time you open an email and you find it not actionable, you will unconsciously assume that the email that just came in is just more of the same.

The same can also be said about 'Reset Actions': If you are getting an email simply to tell you that something is working again, you actually assign a mindset of 'I don't need to do anything with that email'. After a while, this same mindset blurs into the other emails and before long you missed the email about an important service going down and everything becomes chaos.  

Appreciate the posts so far adatole!

adatole said:

My last common reason for false alerts (for this post, at least) is when you’re considering the wrong thing in the first place. Let’s take the CPU alert from the previous example. Why would you alert on high CPU ever? There are reasons, to be sure, but if you don’t even know why (and more specifically, what you and your team will DO about it when it’s over threshold) it’s likely because you’re not collecting the right information. To continue with the example, high CPU is often a symptom of a problem, but not the root cause. Like a person with a fever, the symptom tells you *something* is happening, but you need to collect more data to understand what it is.

I think here you actually combine two different separately actionable insights together.

First, you have symptom based alerting.  Symptom based alerting in itself isn't bad - we all have the experience of going to the doctor because "it hurts here" and making that the jumping-off point to which you actually get a diagnosis.  Patients can't always turn up and say "I have a T6 spinal cord injury, please fix me."  If your system can give better insight as to its own diagnosis, of course it should, but if all you know is "this machine is no longer responding and that's bad" then we can't let the perfect be the enemy of the good, we just have to pay the penalty by spending more operations time drilling into root-causing instead.  (That additional time may mean you have to fire alerts sooner as well, factoring in the length of time root-causing takes).  Different teams have different philosophies about whether they're OK with symptom-based alerting, especially as a catchall in case nobody has considered the specific failure mode of a component that would allow a more specific alert to exist.

(In fact, as an aside, some businesses try to push for alerting to be tied to an SLO or SLA claiming it's the most aligned alerting towards business requirements.  In these cases, they are almost enforcing the use of a symptom based alert - "we are breaching SLA but we don't know exactly why")

The second is "vanity metrics" which are almost always a bad smell.  Just because a platform allows you to monitor a given value, doesn't mean you should.  The fact that the system knows what the CPU is, knows what the network throughput is, knows all the running processes... it's extremely tempting to make all kinds of meaningless assertions because either (1) surely more alerts is better at catching problems, or (2) we don't currently have a metric for the real thing we want to monitor, but maybe if we fudge these four together (machine is up and process is running and CPU is greater than 0 and disk activity is greater than 0) then we can use that as a proxy for what we really care about (the system is processing data as intended).  Of course, the answer here is 'no, actually make the thing you want to monitor, don't rely on the fragility of your approximation remaining true'.