I have a question about the alert percentage threshold. What does the percentage represent? Is it just a percentage of the bandwidth for the selected interfaces or is it an agregate percentage of all of the interfaces that are configured on the system. Here is a sample alert e-mail:
Alert From NetFlow Analyzer ***************************************************************************************
Alert From NetFlow Analyzer : TotalUtilization wm-inet-a.randomhouse.com(L3 -XXXX-XXXX-XXXX) is 7% AlertProfile Name: Traffic over 5% on WM-INET-A AlertProfile Desc: Severity : WARNING Device name : wm-inet-a.customer.com Interface Name : L3 xxxx-xxxx-xxxx Time : 2007-04-10 09:26:00.0 Criteria : Threshold : Exceeds 5% 1 times in 2minutes.
As you can see, the alert is reporting a utilization of 7% which exceeds the threshold of 5% and thus an alert is generated. However, the selected interface for this alert is consistently running much higher than that. I have attached a last day graph for this interface.