SYS-CON MEDIA Authors: Elizabeth White, Liz McMillan, William Schmarzo, Yeshim Deniz, Jason Bloomberg

Blog Feed Post

Focus on Detection:Prometheus, and the case for time series analysis

Detection, in the Incident Lifecycle, is the observation of a metric, at certain intervals, and the comparison of that observation against an expected value. Monitoring systems then trigger notifications and alerts based on the observation of those metrics.

For many teams, on-call is primarily about detection. Monitor everything and make sure we don’t miss out! In organizations with legacy monitoring configurations, getting better at Detection is tough. Environments are configured with broadly applied, arbitrarily set thresholds. Sometimes this is due to limitations in the monitoring solution, or the complexity of implementing different thresholds for different measurements. Sometimes it’s a simple reflection that Detection was not an area of focus before. Whatever the reason, the impact on on-call teams is measurable: too many false alerts, too many interruptions, and acute alert fatigue.

Teams that measure high on the Incident Management Assessment are focusing on time series analysis in their monitoring and detection systems. Prometheus, as one popular example of a solution using a time series database, is seeing wide adoption in both new projects and within existing environments.

Getting your head around time series can seem daunting. For individuals with years between themselves and their last statistics class, understanding the myriad of options is a barrier. While advanced functionality in these systems requires some thinking, there are plenty of easy use cases to explore in making the case for this type of Detection.

Cleaning up the disk: a stable of system administration for 60 years

I have no data to support this assertion, but I suspect if I bucketed all the alerts I’ve received in my career by type, disk utilization would be the winner in a landslide. It’s the easiest system metric to understand, but can have wide reaching consequences if in an unhappy state. It’s hard to imagine an environment where volume utilization is not monitored by default on every host. While “disk full” seems like a simple discussion, unboxing it reveals the complexity that every team faces when considering detection methods.

If we can all agree that full disks are bad, we can still have a lively debate on which precursors to FULL we may want to detect and alert on. At what threshold should a team member become involved? The number of TB free? GB? MB? A percentage of total disk? What if this host is part of a fleet of servers, and losing it is not significant?

A standard approach here is to send a WARNING level alert at 85% used (15% free) and a CRITICAL at 90% used. The thinking being that with only 10% of the volume free, someone should do something! Why? If it took us 3 years to eat up that 90%, is there any reason to believe we’ll chew through the remaining terabyte in the next 10 minutes?

The reference system

Let’s map this discussion to a basic system we can all imagine: 4 core, 4GB RAM, and two volumes, 2GB and 10GB (operating system and application, respectively). For this example it doesn’t really matter if this is a container, a physical host, or a cloud instance. I’m using Prometheus and the Node Exporter to gather and expose metrics, with Grafana on top for the visualizations.

The trickle

One would expect volume utilization on the OS volume to be relatively steady state. Other than logs, little change is introduced here. Depending on the application, the 10GB volume may also be pretty flat, or it may get a lot of use. Here we’ll consider a steady, if small, increase of utilization on that volume. As you can see below, the volume is just creeping its way up to full.

https://victorops.com/wp-content/uploads/2017/06/Screen-Shot-2017-06-19-... 300w, https://victorops.com/wp-content/uploads/2017/06/Screen-Shot-2017-06-19-... 768w, https://victorops.com/wp-content/uploads/2017/06/Screen-Shot-2017-06-19-... 510w" sizes="(max-width: 994px) 100vw, 994px" />

The standard approach would send a WARNING out right here–we’ve hit that generic 85% utilization threshold. What should someone actually do about it though?

Predictive analytics

Using time series data, we can start to apply something approximating prediction to our detection efforts. Using the same data above, we can compute the time to disk full, given the current rate of change with the deriv function in Prometheus:

(node_filesystem_size – node_filesystem_free) / deriv(node_filesystem_free[3d]) > 0

https://victorops.com/wp-content/uploads/2017/06/Screen-Shot-2017-06-19-... 300w, https://victorops.com/wp-content/uploads/2017/06/Screen-Shot-2017-06-19-... 768w, https://victorops.com/wp-content/uploads/2017/06/Screen-Shot-2017-06-19-... 510w" sizes="(max-width: 970px) 100vw, 970px" />

At the current rate of consumption we have 24 weeks to action this condition. Probably OK to not fire an alert just yet. This isn’t even informational; no real change is detected in the state of the system.

The flood

Let’s consider a different scenario– – the same volume, but with far more available space. Starting with about 25% utilization, we see this volume has a relatively steady rate of consumption

https://victorops.com/wp-content/uploads/2017/06/Screen-Shot-2017-06-21-... 300w, https://victorops.com/wp-content/uploads/2017/06/Screen-Shot-2017-06-21-... 510w" sizes="(max-width: 595px) 100vw, 595px" />

Until, something changes:

https://victorops.com/wp-content/uploads/2017/06/Screen-Shot-2017-06-21-... 300w, https://victorops.com/wp-content/uploads/2017/06/Screen-Shot-2017-06-21-... 510w" sizes="(max-width: 587px) 100vw, 587px" />

Given the historical data, it is very unexpected for this volume to see that kind of spike in utilization. If we focus on rate of change over time, we see the full story:

https://victorops.com/wp-content/uploads/2017/06/Screen-Shot-2017-06-21-... 300w, https://victorops.com/wp-content/uploads/2017/06/Screen-Shot-2017-06-21-... 510w" sizes="(max-width: 601px) 100vw, 601px" />

The standard threshold of 85% utilization will not be triggered… and so a team remains blind to the fact that the rate of change just exceeded historical expectations.

Is that actionable? Perhaps, perhaps not, but it is certainly more significant than the trickle scenario, which is firing alerts, interrupting teams, with no real situation requiring investigation.

All the data

This is a simple example focusing on a single detectable metric. How does this kind of approach scale to all the actual metrics your team may wish to track? Really, really well as it turns out. The default behavior of Prometheus exporters is to expose everything – and I really mean everything – for gathering by the prometheus collector. Out of the box the Prometheus Node Exporter is tracking ~620 discrete measurements on my test linux instance.

This is where these systems really differentiate themselves from the previous generation of detection systems: they default to gathering all the metrics, and alerting on none of them. This is in stark contrast to the default behavior of, say, Nagios: gather few measurements, store none, and alert on all.

Actionable Intelligence

Prometheus, and other time series database systems, bring a new kind of insight to the Detection phase of the Incident Lifecycle. They empower teams with more observable data than ever before, without hampering a team’s ability to dig in and understand any one of those metrics. With advanced grouping features, teams can understand these metrics as they relate to different classes of system or application. 

Using time series analysis, a team can completely rewrite the way Detection works in their practice. Bringing better fidelity to the measurements, and more reliably actionable alerting when necessary. This can materially change the game for anyone trying to reduce MTTR and get more sleep.

____________

VictorOps integrates with Prometheus. Check out the integration guide to get started..

 

 

The post Focus on Detection:
Prometheus, and the case for time series analysis
appeared first on VictorOps.

Read the original blog entry...

More Stories By VictorOps Blog

VictorOps is making on-call suck less with the only collaborative alert management platform on the market.

With easy on-call scheduling management, a real-time incident timeline that gives you contextual relevance around your alerts and powerful reporting features that make post-mortems more effective, VictorOps helps your IT/DevOps team solve problems faster.

Latest Stories
New competitors, disruptive technologies, and growing expectations are pushing every business to both adopt and deliver new digital services. This ‘Digital Transformation’ demands rapid delivery and continuous iteration of new competitive services via multiple channels, which in turn demands new service delivery techniques – including DevOps. In this power panel at @DevOpsSummit 20th Cloud Expo, moderated by DevOps Conference Co-Chair Andi Mann, panelists examined how DevOps helps to meet the de...
Fact: storage performance problems have only gotten more complicated, as applications not only have become largely virtualized, but also have moved to cloud-based infrastructures. Storage performance in virtualized environments isn’t just about IOPS anymore. Instead, you need to guarantee performance for individual VMs, helping applications maintain performance as the number of VMs continues to go up in real time. In his session at Cloud Expo, Dhiraj Sehgal, Product and Marketing at Tintri, sha...
According to Forrester Research, every business will become either a digital predator or digital prey by 2020. To avoid demise, organizations must rapidly create new sources of value in their end-to-end customer experiences. True digital predators also must break down information and process silos and extend digital transformation initiatives to empower employees with the digital resources needed to win, serve, and retain customers.
More and more companies are looking to microservices as an architectural pattern for breaking apart applications into more manageable pieces so that agile teams can deliver new features quicker and more effectively. What this pattern has done more than anything to date is spark organizational transformations, setting the foundation for future application development. In practice, however, there are a number of considerations to make that go beyond simply “build, ship, and run,” which changes how...
In his session at 19th Cloud Expo, Claude Remillard, Principal Program Manager in Developer Division at Microsoft, contrasted how his team used config as code and immutable patterns for continuous delivery of microservices and apps to the cloud. He showed how the immutable patterns helps developers do away with most of the complexity of config as code-enabling scenarios such as rollback, zero downtime upgrades with far greater simplicity. He also demoed building immutable pipelines in the cloud ...
In his keynote at 18th Cloud Expo, Andrew Keys, Co-Founder of ConsenSys Enterprise, will provide an overview of the evolution of the Internet and the Database and the future of their combination – the Blockchain. Andrew Keys is Co-Founder of ConsenSys Enterprise. He comes to ConsenSys Enterprise with capital markets, technology and entrepreneurial experience. Previously, he worked for UBS investment bank in equities analysis. Later, he was responsible for the creation and distribution of life ...
Smart Cities are here to stay, but for their promise to be delivered, the data they produce must not be put in new siloes. In his session at @ThingsExpo, Mathias Herberts, Co-founder and CTO of Cityzen Data, discussed the best practices that will ensure a successful smart city journey.
A look across the tech landscape at the disruptive technologies that are increasing in prominence and speculate as to which will be most impactful for communications – namely, AI and Cloud Computing. In his session at 20th Cloud Expo, Curtis Peterson, VP of Operations at RingCentral, highlighted the current challenges of these transformative technologies and shared strategies for preparing your organization for these changes. This “view from the top” outlined the latest trends and developments i...
When you focus on a journey from up-close, you look at your own technical and cultural history and how you changed it for the benefit of the customer. This was our starting point: too many integration issues, 13 SWP days and very long cycles. It was evident that in this fast-paced industry we could no longer afford this reality. We needed something that would take us beyond reducing the development lifecycles, CI and Agile methodologies. We made a fundamental difference, even changed our culture...
"Space Monkey by Vivent Smart Home is a product that is a distributed cloud-based edge storage network. Vivent Smart Home, our parent company, is a smart home provider that places a lot of hard drives across homes in North America," explained JT Olds, Director of Engineering, and Brandon Crowfeather, Product Manager, at Vivint Smart Home, in this SYS-CON.tv interview at @ThingsExpo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA.
LogRocket helps product teams develop better experiences for users by recording videos of user sessions with logs and network data. It identifies UX problems and reveals the root cause of every bug. LogRocket presents impactful errors on a website, and how to reproduce it. With LogRocket, users can replay problems.
@CloudEXPO and @ExpoDX, two of the most influential technology events in the world, have hosted hundreds of sponsors and exhibitors since our launch 10 years ago. @CloudEXPO and @ExpoDX New York and Silicon Valley provide a full year of face-to-face marketing opportunities for your company. Each sponsorship and exhibit package comes with pre and post-show marketing programs. By sponsoring and exhibiting in New York and Silicon Valley, you reach a full complement of decision makers and buyers in ...
There are many examples of disruption in consumer space – Uber disrupting the cab industry, Airbnb disrupting the hospitality industry and so on; but have you wondered who is disrupting support and operations? AISERA helps make businesses and customers successful by offering consumer-like user experience for support and operations. We have built the world’s first AI-driven IT / HR / Cloud / Customer Support and Operations solution.
Data Theorem is a leading provider of modern application security. Its core mission is to analyze and secure any modern application anytime, anywhere. The Data Theorem Analyzer Engine continuously scans APIs and mobile applications in search of security flaws and data privacy gaps. Data Theorem products help organizations build safer applications that maximize data security and brand protection. The company has detected more than 300 million application eavesdropping incidents and currently secu...
Rafay enables developers to automate the distribution, operations, cross-region scaling and lifecycle management of containerized microservices across public and private clouds, and service provider networks. Rafay's platform is built around foundational elements that together deliver an optimal abstraction layer across disparate infrastructure, making it easy for developers to scale and operate applications across any number of locations or regions. Consumed as a service, Rafay's platform elimi...