Documentation forNetFlow Traffic Analyzer
Analyzing network traffic and bandwidth is a key capability of Hybrid Cloud Observability Advanced and is also available in a standalone module, NetFlow Traffic Analyzer (NTA). Hybrid Cloud Observability Advanced and NTA are built on the self-hosted SolarWinds Platform.

Configure Flow alerts

Unlike Top Talker or CBQoS alerts, Flow alerts are configured in the Create a Flow alert panel. The panel creates a standard SolarWinds Platform alert based on Custom SWQL query. If you want to change settings such as the Trigger Action, you must do so in the Advanced Alert Editor. The default values in the Create a Flow Alert panel are based on the standard Advanced Alert Editor functionality.

Configure the alert Application Threshold

The Application Threshold alert notifies you that a NetFlow-reporting node reports traffic for an application or NBAR2 application over or under a certain threshold.

  • The alert can be created across multiple applications and NBAR2 applications.
  • It is possible to combine applications and NBAR2 applications. The alert will be triggered when you reach the combined threshold of all selected applications.
  • The threshold is compared to the average bits per second value over X minutes of flow data being checked.
  1. In the SolarWinds Platform Web Console, navigate to a NetFlow Node Details or Interface Details view.
  2. Open the Flow Navigator panel, click Applications or NBAR2 Applications, and set Include filters for the desired application or NBAR2 application:
    1. In the drop-down menu, click Include.

      Only Include filters are valid for this type of alert.

    2. Select the application from the Select application drop-down menu.

      The selected application filter must be set for an application that is stored through NTA Applications as an application. Filtering by port is not supported for this type of alert.

    3. Click Add filter.
  3. Click the Create a Flow Alert panel located under the Flow Navigator.
  4. Verify that the filter you've set in the Flow Navigator is visible in the Create a Flow Alert panel.
  5. Fill in the name of the alert in the Name field.
  6. Select the severity from the Severity drop-down.
  7. Under the Trigger Condition section, fill in the following fields:
    1. In the first drop-down menu, select Trigger when application traffic exceeds a certain threshold.
    2. Select either ingress or egress traffic.
    3. Select the proper inequality symbol.
    4. Insert a numeric value representing the threshold.
    5. Select the units of bps.
  8. Set the flow alert time interval.

    This is the number of minutes which are supposed to be queried into the past.

  9. If you want to set other options, such as the Trigger Actions, select Open this alert in Alert wizard before saving.

    By default, flow alerts have no trigger action, only an alert message displayed in the widgets. The alert message can be copied and pasted into a Send an Email trigger action.

  10. Click Create alert.

Alert example

The below scenario assumes you are configuring an alert to notify you if ingress traffic for application Port 0 on node NEWY-2811-WAN exceeds the value of 1 Kbps in 10 minutes.

  1. In the SolarWinds Platform Web Console, navigate to the NetFlow Node Details view for node NEWY-2811-WAN.
  2. Open the Flow Navigator.
  3. Click Applications > select Port 0 in the Select application drop-down.

  4. Click Add filter.
  5. Open the Create a Flow Alert panel.

    Note that node NEWY-2811-WAN is already selected.

  6. Fill in the name of the alert in the Name field.
  7. Select the severity from the Severity drop-down.
  8. Under Trigger Condition, select Application traffic exceeds threshold from the drop-down.
  9. Select Ingress Traffic from the drop-down.
  10. Select the ">" inequality symbol from the drop-down.
  11. In the following field, insert "1".
  12. Select Kbps from the units drop-down.
  13. Set the flow alert time interval to 10.

  14. Verify that you have Port 0 in the filters list.

  15. Click Create alert.

Configure the alert Application present in Top Applications / Application not present in Top Applications

This alert notifies you that an application or NBAR2 application is or is not present in Top Applications or NBAR2 Applications lists. After you create an alert for a specific application or NBAR2 application for a node or interface, the alert is triggered when the application or NBAR2 application is missing in the Top Applications or NBAR2 applications widgets.

  • The alert can be created either for an application or for an NBAR2 application.
  • It is not possible to combine applications and NBAR2 applications.
  • Applications and NBAR2 applications in Top Applications are sorted by bytes.
  1. In the SolarWinds Platform Web Console, navigate to a NetFlow Node Details or Interface Details view.
  2. In the Flow Navigator, click Applications and select the desired application from the Select application drop-down menu.

    The selected application filter must be set for an application that is stored through NTA Applications as an application. Filtering by port is not supported for this type of alert.

    Only Include filters are valid for this type of alert. The options is selected by default.

  3. Click Add filter.
  4. Open the Create a Flow Alert panel.
  5. Fill in the name of the alert in the Name field.
  6. Select the severity from the Severity drop-down.
  7. Under Trigger Condition, select one of the following options, depending on what you want to be alerted on:
    • Application present in Top Applications.
    • Application not present in Top Applications.
  8. Select if you want to monitor ingress or egress traffic.
  9. Enter the number of applications you want to be alerted on.
  10. Set the flow alert time interval.

    This is the number of minutes which are supposed to be queried into the past.

  11. If you want to set other options, such as the Trigger Actions, select Open this alert in Alert wizard before saving.

    By default, flow alerts have no trigger action, only an alert message displayed in the widgets. The alert message can be copied and pasted into a Send an Email trigger action.

  12. Click Create alert.

Alert example

The below scenario assumes you are configuring an alert to notify you that the application World Wide Web HTTP 80 on interface Gig0/0.204 of node NEWY-2811-WAN is present in Top Applications.

  1. In the SolarWinds Platform Web Console, navigate to the NetFlow Interface Details view for Interface Gig0/0.204 of node NEWY-2811-WAN.
  2. Open the Flow Navigator.

  3. Click Applications > select World Wide Web HTTP 80 in the Select application drop-down.

  4. Click Add filter.
  5. Open the Create a Flow Alert panel.

    Note that node NEWY-2811-WAN and Interface Gig0/0.204 (if-4) are already selected.

  6. Fill in the name of the alert in the Name field.
  7. Select the severity from the Severity drop-down.
  8. Under Trigger Condition, select Application present in Top Applications from the drop-down.
  9. Select Ingress Traffic from the next drop-down.
  10. Insert the number 5 into the field Number of top Applications.
  11. You can leave the time interval as it is.
  12. Verify that you have World Wide Web HTTP 80 in the filters list.

  13. Click Create alert.

Configure the alert NetFlow source not receiving any data

This alert notifies you that a device (node or interface) is not sending data over a defined time period. The alert is created on a monitored node or interface. In case the alert is triggered on a node, none of the monitored interfaces is sending flow data. This means that if the node includes an interface that does send NetFlow data, the alert is not triggered.

  • In case the node or interface is Unmanaged during the monitored period, the alert is not triggered.
  • In case the NetFlow Service was down during the monitored period, the alert is not triggered.
  1. In the SolarWinds Platform Web Console, navigate to a NetFlow Node Details or Interface Details page.
  2. Open the Create a Flow alert panel.
  3. Fill in the name of the alert in the Name field.
  4. Select the severity from the Severity drop-down.
  5. Select Flow no longer being received from the Trigger Condition drop-down.
  6. Set the flow alert time interval.

    This is the number of minutes which are supposed to be queried into the past.

  7. If you want to set other options, such as the Trigger Actions, select Open this alert in Alert wizard before saving.

    By default, flow alerts have no trigger action, only an alert message displayed in the widgets. The alert message can be copied and pasted into a Send an Email trigger action.

  8. Click Create alert.

Alert Example

The below scenario assumes you are configuring an alert to notify you that the node NEWY-2811-WAN is not sending flow data to SolarWinds NTA.

  1. In the SolarWinds Platform Web Console, navigate to the NetFlow Node Details view for node NEWY-2811-WAN.
  2. Open the Create a Flow Alert panel
  3. Fill in the name of the alert in the Name field.
  4. Select the severity from the Severity drop-down.
  5. Under Trigger Condition, select Flow no longer being received from the drop-down.
  6. You can leave the time interval as it is.

  7. Click Create alert.