March 2018

It’s hard to believe it, but we are already wrapping up the first quarter of 2018. As usual, our development team has been hard at work bringing you, our customers, some new features and functionality. Let’s take a look at the latest…

Bracketing Enhancements

We introduced quite a few Bracketing Enhancements in last month’s product update but the news doesn’t end there. This month, we added support for the following view types:

• Geo HeatMap (for both Regions and Countries, as shown in the screenshots below)

  

  

• Comparison Bar Chart
  

Additionally, we’ve refined the way Bracketing works by adding a couple useful controls based on popular demand:

• The user can now choose if they want the group headings in the table output. This can be very useful to separate the brackets but disabling it saves precious vertical real estate in places like a dashboard panel. To turn this on or off, click anywhere in the Bracketing pane of the Data Explorer sidebar to bring up the Bracketing Options dialog. Enable the Group Results selector if you want the headers or disable the selector to hide the headers
• In the same pane, the astute reader may have noticed a Trim Overall Range button. This option allows the user to filter out value below or above a certain threshold so they do not appear in the brackets:

  

For more detailed information on bracketing, check out our Bracketing Pane Settings Knowledge Base (KB) article.

Single AS-Path Sankey

Sankey Diagrams have historically required a minimum of two dimensions to be selected in the Group-By selector in the Query pane since this visualizations shows a “from” and “to” relationship. We have now relaxed this requirement for Destination BGP AS_PATH given the fact that this dimension has both a “from” and “to” relationship within it.

Generated Charts

It is now possible to generate a series of charts based on the top-N matches for a query dimension. These panels are calculated dynamically at query time, not pre-calculated. For example, this is a set of generated charts showing the top sites for each CDN.

To get started using this feature, enable the Generate One Chart Per Series selector in the Advanced Options of the Query pane in the Data Explorer sidebar. You can choose how many columns you want and what level of visualization is used for these generated charts.

This feature can be used for configuring panels on a Dashboard — where it can be turned into an Interactive Dashboard (more on that below).

Interface & Network Classification

Classification Dependency Notification

Some users may have noticed an explanation mark in the Admin sidebar next to Interface Classification or Network Classification.  

A lot of pre-configured dashboards rely on Interface Classification, Network Classification, and Provider Classification being configured by the user. Due to this, we now alert the user when a dashboard, or Data Explorer query for that matter, requires one of these configurations and it is not matching at least 80%.

As mentioned, a notification will also be present in the Admin screen. For more information on configuring these items, check out our Interface Classification KB article or blog, as well as our articles on Network Classification and Provider Classification.

Interface Classification Based on Interface Name

Speaking of Interface Classification, we have made an improvement here as well. Some of our users have mentioned that they have strict rules in place on how they allocated interfaces on the routers and switches in their network. For example, they might put all the core-facing interfaces on the first linecard and all the edge-facing interfaces on the second linecard. For most major vendors, this gives a consistent naming convention to the interfaces (e.g. xe-0/0 for core and xe-1/0 for edge). Giving our users what they want, we have added support for Interface Classification (more information on IC is available in our KB article) based on the name of the interface, including all types of matches: equals, contains, matches Regex.

Dashboard Enhancements

As mentioned previously, Dashboards are becoming a central focus for Kentik Detect. To make dashboards more intuitive and easy to work with, we have made a few enhancements this month:

New Edit Mode

In the past, EDIT mode looked too much like VIEW mode, so we have now added a few visual clues to make it easier for the user to see at a glance which mode they are currently in.

Updated Add/Edit Panel Dialog

We also created a much cleaner and easier flow for adding new panels or editing existing ones. You no longer have to switch between Data Explorer and the add/edit panel dialog. We now include the query sidebar and the resulting visualization right in the panel dialog window.

Panel Description

One additional change that users may notice is a Description field in the add/edit panel dialog. The description entered here, will appear as a mouse-over popup when viewing the dashboard panel. This allows dashboard creators to deliver more context for each panel.

Interactive Dashboards

Another new feature we added is called Interactive Dashboards. This feature allows users to click on an item in a panel to get a filtered view based on that data item. The filter applies to all panels on the dashboard and can be seen by viewing the Filters pane in the sidebar.

This feature is enabled using the Cross-Panel Filtering selector in the add/edit panel dialog.

The following view types currently support Cross-Panel Filtering:

• Time Series Stacked Graph
• Time Series 100% Stacked Graph
• Time Series Bar Graph
• Time Series Line Graph
• Comparison Bar Chart
• Pie Chart
• Tables
• Gauge

We will be adding support for the remaining view types in the near future. Keep an eye on upcoming product updates for more information.

Filtering Improvements

This month, quite a bit of work also went into improving a few different areas of Kentik Detect’s filtering capabilities:

Bi-Directional Interface Classification Filters

Interface Classification results in the following filter criteria being available:

• Interface ID
• Interface Name
• Interface Description

These criteria can now be applied as Source or Destination meaning if either direction matches, the filter will apply.

Invert Perspective

Changing the direction of a filter in a query just got a whole lot easier. In the Ad-Hoc Filter Groups pane of the Filtering Options dialog, there is now a button for Invert Perspective. In this example, clicking the button would change our filter to Source AS Number.

Remove Active Saved Filters

We now support the ability to quickly remove an active saved filter. In the Filtering pane of the Data Explorer sidebar, clicking the X next to an item listed in the Saved Filters section will remove it. Don’t forget to re-run your query by clicking the blue Run Query button at the top of the sidebar.

For more detailed information on how to use filters in Kentik Detect, check out our KB article.

Alerting Enhancements

Kentik Detect’s powerful anomaly detection, alerting, and mitigation platform has gotten some improvements this month as well. Let’s take a look:

Support for Nested Filters

We have added support for nested filters in the alert policy dataset – similar to what has been available previously in Data Explorer’s sidebar. This is accessed from the Policies list (Alerting » Policies) by either clicking on an existing policy or clicking the blue Add Policy button. On the Dataset tab, you click on the Edit Filters button to bring up the Filtering Options dialog. For more information on configuring nested filters, check out our AdHoc Filter Interface KB article.

Manual Mitigation TTL

In our November Product Update we mentioned that we have added the ability to start a manual mitigation as opposed to triggering a one-off alert. We’ve now taken this a step further and added the ability to set a time to live (TTL) on the mitigation so it will automatically stop when the timer expires.

Escalating Thresholds

Our alerting system now supports escalating thresholds. A user can configure multiple Alert Thresholds with different criteria to trigger the threshold. As traffic matching the criteria increases or decreases, the appropriate thresholds will trigger. Different notifications can be tied to threshold level, but mitigation escalation is still under development. Stay tuned to future product updates for more details on that.

For more information on Kentik Detect’s powerful alerting system, check out our alerting KB articles or our recent blogs:

• Kentik Detect Alerting: Configuring Alert Policies
• HBO Attack: Can Alering Help Protect Data?

Cloud Aware kprobe

This month, our kprobe agent got a couple of updates to make it easier to adopt in a “cloud-native” environment. Let’s take a look at what we mean by that:

In cloud deployments there is often a load-balancer that is front-ending a cluster of application server instances. An example diagram is below:

The load-balancer is accepting the HTTPS (TCP port 443) connections and then forwarding the requests to a number of cloud instances. In this type of setup, users typically look at Kentik Detect to get the sum of all HTTPS traffic handled by the instances behind the load-balancer. The ‑‑translate command line option of kprobe now allows you to map the load-balancer IP/TCP:443 to the instance IP/TCP:8080 on each of the instances.

Another cloud deployment trend is VMs being created on the fly using things like auto-scaling or stale instance killer where kprobe needs to be included in a custom image and started with each new cloud instance. This requires that the configuration of kprobe be independent of the VM hostname, IP address, or Kentik device ID. To accommodate this, we have added a couple new features:

• Kentik Detect Plans now have an “Active Device” count, in addition to the existing “Total device” count. When kprobe first communicates with Kentik Detect, if active count < total count, a new device will automatically be registered. To facilitate this, a new command line argument: ‑‑device-plan option has been made available.
• If ‑‑device-name isn’t specified, the instance’s hostname will be used, otherwise it’ll be overridden by this flag and appear in the Kentik Detect platform with this name.

To learn more about the current kprobe startup options, check out our Knowledge Base article.

Raw Flow Viewer

Seeing the raw flow data that your device is outputting can be a great troubleshooting tool. To that end, we have implemented a new feature called Raw Flow Viewer (Analytics » Raw Flow) that allows the user to see their raw flow records without having to build a complicated SQL query. Keep an eye on future product updates as we expand this functionality to allow for CSV export of this data. Formal documentation in our KB is forthcoming but until then here is an example of how one might use this feature.