alert: Don't log anomalies if the percentile bins haven't been expanded enough yet to give us good resolution. Current bucket count is NN Host NNNNN sensor XXXXX I have these alarms for this list of sensors: DNSLarge fanOut flows Frags Fra

Document ID : KB000016105
Last Modified Date : 14/02/2018
Show Technical Document Details
Introduction:

This is a new installation of anomaly detector and I'm getting these alarms in the ADLog2017-99-99.log

alert: Don't log anomalies if the percentile bins haven't been expanded enough yet to give us good resolution. Current bucket count is NN Host NNNNN sensor XXXXXX

I have these alarms for this list of sensors:

DNSLarge

fanOut

fanOut

flows

Frags

Frags

FragsAndLoss

ICMPfloods

ICMPLarge

ICMPTTL

NonLocalTraffic

NonLocalTraffic

OutsideTraffic

RST_Only

SYN_RST_Only

SYNOnly

topNullRoutes

volIn

volIn

volOut

volOut

~400 alarms like this.

Question:

What does this alert msg mean in the ADLog2017-99-99.log mean? 

alert: Don't log anomalies if the percentile bins haven't been expanded enough yet to give us good resolution. Current bucket count is NN Host NNNNN sensor XXXXX

Environment:
Windows
Answer:

The alert that you are seeing in the ADLog2017-99-99.log is not an error but just an informational msg indicating that the default percentile had not been reach within a specific period of time.

AD uses a percentlling algorithm to convert from raw metrics into a 0 to 100 percentile and until it gets enough data for a particular host and sensor it doesn't want to report because it doesn't really have enough of a profile to report. Basically, AD doesn't want to worry too much about spikes in some of the metrics if the observation count is too low.

By default the Max Bucket count is 20, it must exceed the count to log anomalies. The resolution has to exceed the bucket count to log an anomaly. 

Additional Information:

Case #00818893