Documentation forNetFlow Traffic Analyzer
Analyzing network traffic and bandwidth is a key capability of Hybrid Cloud Observability Advanced and is also available in a standalone module, NetFlow Traffic Analyzer (NTA). Hybrid Cloud Observability Advanced and NTA are built on the self-hosted SolarWinds Platform.

NetFlow-specific predefined alerts

Alerts must be enabled to trigger when the defined condition occurs. Not all out-of-the box alerts are enabled by default.

You need Alert Management Rights to enable, create, edit, delete alerts, or to view a list of available alerts.

Where can I find what NTA-specific alerts are enabled?

  1. Click Alerts & Activity > Alerts, and click Manage Alerts in the upper right.
  2. In the Alert Manager, filter the alerts to display NTA-only items. Type netflow or CBQoS into the search box
  3. Make sure the alerts are on.

Flow alerts

You can create alerts on recently processed flows to quickly identify and solve quality issues. The Create a Flow Alert panel creates a standard SolarWinds Platform alert based on Custom SWQL query. If you want to change settings such as the Trigger Action, you must either do so in the Advanced Alert Editor, or delete the existing alert and create a new one using the Create a Flow Alert panel. The default values in the Create a Flow Alert panel are based on the standard Advanced Alert Editor functionality. See Configure Flow alerts for more information.

Application Threshold

This alert notifies you that a NetFlow-reporting node reports traffic for an application or NBAR2 application over or under a certain threshold. After you create an alert for the NBAR2 application and the threshold for a particular node, the alert is triggered when the traffic exceeds the threshold.

The alert can be created across multiple applications and NBAR2 applications. It is also possible to combine the applications and NBAR2 applications. This means that the alert will be triggered when the combined threshold of all selected applications is reached.

Application present in Top Applications / Application not present in Top Applications

This alert notifies you that an application or NBAR2 application is or is not present in Top XX Applications or NBAR2 Applications lists. After you create an alert for a specific application of NBAR2 application for a node or interface, the alert is triggered when the application or NBAR2 application is missing in the Top XX Applications or NBAR2 applications widgets.

Flow no longer being received

This alert notifies you that a device (node or interface) is not sending data over a defined time period.

Top talker alerts

High Receive Percent Utilization with Top Talkers

This alert indicates that the traffic received by the relevant interface exceeded the defined bandwidth usage threshold.

High Transmit Percent Utilization with Top Talkers

This alert indicates that the traffic transmitted by the relevant interface exceeded the defined bandwidth usage threshold.

By default, when triggered, top talker alerts do two things:

  • When the percent utilization of an interface rises above the specified value, the alert writes the bandwidth utilization event to the SolarWinds event log. When the utilization drops back below a specified value, the alert writes another event to the log.
  • Initiate a web capture of the most current top talker information and email the information to the configured recipient.

CBQoS alerts

The CBQoS alerts can help you confirm that the CBQoS policies applied to traffic flowing through your devices are producing the intended results. For example, the default Drops alert can notify you when packets dropped as a result of a policy exceed the 1GB threshold. Specify a policy and set up alert thresholds to get an early warning about traffic processing issues and intervene to better shape network traffic.

CBQoS out-of-the-box alerts are not enabled by default because you need to specify the policy and class path to complete the trigger definition.

Pre-Policy

CBQoS Pre-Policy writes to the SolarWinds event log when the amount of Pre-Policy traffic (in bytes) meets the conditions of your alert threshold setting.

Example of alert logged: CBQoS Pre-Policy traffic in class 'class-default (MCQTest)' with policy ‘policy-default (MPQTest)’ on interface 'FastEthernet0/0  link to core' met the conditions of your alert threshold setting. Total Pre-Policy traffic in the past 15 minutes: 99999 Bytes.

By default, this alert writes to the Event Log. This alert also can be configured to send the information in an email to the configured recipient.

Post-Policy

CBQoS Post-Policy writes to the SolarWinds event log when the amount of Post-Policy traffic (in bytes) meets the conditions of your alert threshold setting.

Example of alert logged: CBQoS Post-Policy traffic in class 'class-default (MCQTest)' with policy ‘policy-default (MPQTest)’ on interface 'FastEthernet0/0 · link to core' met the conditions of your alert threshold setting. Total Post-Policy traffic in the past 15 minutes: 99999 Bytes.

By default, this alert writes to the Event Log. This alert also can be configured to send the information in an email to the configured recipient.

Drops

CBQoS Drops writes to the SolarWinds event log when applying CBQoS policies to traffic on an interface.

Example of alert logged: CBQoS Drops met your alert threshold setting as a result of applying class map 'class-default (MCQTest)' and policy map ‘policy-default (MPQTest)’ on interface 'FastEthernet0/0 · link to core' . Total data dropped in last 15 minutes is: 00333 Bytes.

By default, this alert writes to the Event Log. This alert also can be configured to send the information in an email to the configured recipient.