Use the BPPM Baselines to Put Your Signature on BPPM Signature Thresholds
Using anything has the basic requirement that you should understand what it is, before you use it. Otherwise the expected results may not be in line with the actual results. In Application Performance Management (APM) we are in the midst of some very big changes. In order to fully utilize these new monitoring components, you must first understand them. One of these new and somewhat complex components is the BPPM Baseline.
In our previous post we talked about “What a BPPM Baseline is”, providing a contrasting example of an “absolute threshold” for comparison. We discussed how using a dynamic BPPM Baseline had the overwhelming advantage of being a “living” threshold. It wasn’t static and it wasn’t based on a WAG. This is a key monitoring advantage, however that last article was simply an introduction into the BPPM Baseline concept.
Today we will be taking a deep dive into this topic. We will be explaining in greater detail all of the available BPPM Baselines and how you could use them for different situations. When you are done you will be able to put this information together with the tools you need to advance your reactionary, static threshold monitoring infrastructure. Then you can transform it into an intelligent, historically involved and aware, learning machine. So let’s get started.
One BPPM Baseline is Great, 5 BPPM Baselines are Amazing
You hopefully understand by this point that you can use BPPM Baselines to monitor your key metrics to spot abnormal behavior. Abnormal behavior is defined as falling outside of normal operation conditions based on historical observations, and can be abnormally high OR low. That is the nature of a BPPM Baseline.
Most people, once they understand the concept, immediately see the requirement to use them ASAP. For obvious reasons. They are sick of bogus alert ranges and false alerts and want more accuracy. It’s always great to inform these baseline converts that having one BPPM Baseline is great, but there’s more than one.
What takes this BPPM Baseline ability to the next level is being able to use different types of baselines to achieve different types of monitoring goals. Think of this. You know you have Production systems and application components. Do all of these IT assets deserve the exact same monitoring attention? Some of those components are so important that any abnormality needs to be flagged immediately. There are times when you will need to watch something like a hawk. There is a specific baseline for that. All the way out to monitoring something because you know you need to, while knowing you can take care of it at a more casual pace. There’s a baseline for that.
In all there are 5 different types of BPPM Baselines. While at first that may seem odd, you will soon see why each one has a different perspective that can assist you in each of your monitoring endeavors.
The 5 BPPM Baseline Types
BMC provides the following 5 types of BPPM Baselines Out of the Box:
- Hourly Baseline
- Daily Baseline
- Weekly Baseline
- Hourly and Daily Baseline
- All Baselines
Of these 5, there are 3 core baselines. Those 3 core ones are the Hourly, Daily and Weekly Baselines. Without further delay, lets talk about each, and how you could use them. First, the Hourly Baseline.
The Hourly Baseline
This baseline is the hawk. Microscopic vision focused like a laser, looking for even the slightest abnormality. This is the most granular and dynamic BPPM Baseline available. The raw monitoring data is the input for this baseline, which is fed into the BPPM Analytics engine to produce this first baseline.
Let’s look at the example below of a BPPM KPI parameter called “% Total Processor Utilization”. The raw monitoring data is displayed with the bold dark purple color, and the Upper and Lower Hourly Baseline ranges are shown with a light black line.
Although it is hard to see, the lower hourly baseline does actually exist beneath the raw data. If we zoom into the graph we can see that the lower baseline floating just below the normal operating ranges.
What makes the Hourly baseline “the hawk”? One reason: the real-time raw monitoring data is the input used to produce this initial Hourly Baseline. Looking at either graph above you see the upper baseline range really fluctuates based on the input received. Also, BPPM weighs the newer data more heavily than the old data. If a spike occurs in the real-time monitoring, the baseline will move quicker, and if that spike is followed by a down trend afterwards it will adjust down quicker. As a result this baseline is very, very fluid. It hugs the raw data more than any other baseline. It is therefore the one to use if you really want to keep a heavy focus on what your monitoring, and be alerted immediately upon any abnormal behavior.
Having said that, this baseline isn’t recommended for normal day to day operations. Looking at a single spike on the chart, at “Mon 08/11”, you can see an increase in activity resulted in an upper deviation through the upper baseline range. If there had been a Signature Threshold put in place using the Hourly Baseline as its thresholds, this particular time would have produced an abnormality alert/event.
The key point to remember about using the Hourly Baseline is this: only use the Hourly baseline for items which need to be watched very carefully or tightly. Because the raw data is used with this baseline, and because its recent historical data is more heavily weighted, it is the most fluid of the BPPM Baselines. If you want to keep a close eye on a problem situation and take immediate action upon any slight deviation to normal behavior this is your baseline. Just remember that if you use this over a long period of time, it will generate more events than any other baseline.
The Daily Baseline
The BPPM Daily Baseline is next in line. Unlike the hourly baseline, the Daily Baseline is constructed by using the Hourly Baseline data points. This baseline, like all others, is still a living, dynamic threshold. It is based on historical input, just like the others. The difference is it doesn’t move as much as the hourly. The same will be seen with all other thresholds we talk about going forward. So let’s look at the same parameter as above.
You can see by looking at the same parameter and time range as before, displaying the Hourly Baseline instead, the upper range baseline movement is much more subdued. It moves but not like the hourly baseline. Looking at the same “Mon 08/11” spike as we did before, you can see there was no deviation outside of the Daily Upper threshold range. That spike up is perceived by BPPM as totally within normal Daily ranges, based on past monitoring activity. It would not have alerted like the Hourly would have. Because the Daily Baseline is built with the averaged Hourly data inputs, its “normal” behavior range is smoother.
The Daily Baseline is useful for most of your monitoring. It is tight, but not too tight. It’s dynamic but not overly sensitive. You can see it still has an adjustable, living range that will move along with activity, and this dynamic movement is exactly what you want to utilize. You want this dynamic range analysis.
If the Daily Baseline is still too dynamic, and you want something a little smoother, you can use the next one in the list, but keep in mind, there are still 4 more baselines to go!
The Weekly Baseline
Of the three core baselines, this is the most inactive. The data inputs used for this range are the Daily Baseline data points. At this point the averaging process is creating a much more stable baseline range.
You can see by looking at the spike on “Mon 08/11” that the upper baseline range moves in adjustment to it to the spike. This demonstrates again, that this baseline is still active and living and still based on this specific parameters historical data. I can’t say that enough. Each baseline is constructed around only that parameters history. No More need for a WAG! Enough said.
Using BPPM Combination Baselines
At this point we have covered the core baselines with the BPPM software suite. As if those three couldn’t do enough, BMC has kindly provided combination Baselines that may fit some needs as well.
Now that you hopefully understand the main advantages associated with the BPPM Baselines, these next few will be quickly covered along with examples, and the tie in with Signature Thresholds.
Here are the combination baselines which are available for use in your Signature Thresholds:
Hourly and Daily — A combination of the Hourly baseline and the Daily baseline.
All Baselines — A unique combination of the Hourly, Daily, and Weekly baselines.
Lets take a quick look at both of these types and compare them to the core BPPM Baselines they are built from.
The “Hourly and Daily” combination Baseline
The “Hourly and Daily Baseline” is exactly what you expect. A combination of the two baseline types. Here is the “Hourly and Daily” Baseline example again with the same parameter and time range.
You will notice by comparing this baseline example with the individual Hourly and the Daily baselines, you are provided with a hybrid of both. It is less dynamic than the Hourly baseline, and yet more dynamic than the Daily.
To save you time having to scroll up and look, here are the Hourly and Daily Baseline charts.
Why would you need this you may ask? Why would you buy one set of gloves over another? Because one set of gloves fits better. That’s the same with each of these baseline types. When trying to decide which baseline to assign to your signature thresholds, you must look through each of these baselines for the parameters you want, and see if the abnormalities or baseline deviations are in line with issues you observed.
Let me say that differently. Looking back at the collected information, you can see where the deviations are, or a lack of deviations. In this example, and time frame, there are no deviations. If there were no known or observed issues during this timeframe, then I could argue this “Hourly and Daily Baseline” fits and could be useful for finding abnormal behavior. You must look back and then look forward with these. Having known issues will allow you to determine which baseline best fits your Signature Threshold needs.
The “All Baselines” Baseline
The “All Baselines” is a very unique baseline. To say it’s the average of all baselines would not be correct. The All Baselines is calculated based on the following formulas:
High “All Baseline” will choose the MAXIMUM value between the hourly, daily and weekly baselines hour by hour.
Low “All Baseline” will choose the MIMIMUM value between the hourly, daily and weekly baselines hour by hour.
Make sense? The “All Baselines” will pull the Max and Min core baseline values. It will use the farthest range values found for it’s living range setting. Again this baseline is still dynamic and based on previously collected data, so it will vary and adjust over time, it simply uses the extreme values from the core baselines.
Here is the “All Baselines” example.
This threshold is useful for production parameters that are somewhat important, but not so mission critical that you feel a need to set a tight alert threshold. You know it’s important and needs to be monitored and events generated, but you aren’t sure which baseline to use. This selection would be insurance for such a need. It would take a maximum abnormality to occur in either the upper or lower range before an event is generated, but it would still be a functional abnormality nonetheless. You would then use that to determine if the event proactive enough.
Looking Forward to using Historical Baselines
A few years ago, all we had to use were simple absolute thresholds based on some individual’s best guess or assumption as to what he or she felt the alert range should be. Those days are gone!
The BPPM application now offers the intelligent ability use a wide range of living thresholds as demonstrated here. The only thing left for you to do, is determine which one best fits each of unique monitoring needs. Some of your monitoring will require the use of hourly baselines which are very tight, and some of your monitoring may fall on the opposite end of the spectrum by using the “All Baselines” settings. I’ve said it multiple times, but I like to repeat valuable information. Every one of these baselines is alive. It’s not static. They are based on the relative historical information of that specific parameter. That is what sets them apart from previous static alert thresholds.
Stay tuned for Part 3, the final installment in our dedication to helping you fully understand the BMC BPPM Analytics and BPPM Baseline advances. In it we will use the BPPM Baselines and link them to a Signature Threshold, Intelligent Threshold, as well as cover the “Advanced” settings to really put the finishing touches on this topic.
Start using BPPM Analytics and BPPM Baselines, to do yourself and your IT organization a favor. If you have any questions about this information or would like to discuss your options for Application Performance Management (APM), use the link below, and we’ll have someone reach out to get you the answers you need.
As always, have a GREAT day!