Anomaly alerts for Job Completed?

Mike,

I saw that description in BOL also.  But it doesn’t line up with what I’m seeing.

Here’s an example as I get this alert every day (and they’re all around 120~ which doesn’t seem very out of the ordinary to me since it’s a pretty close number every day):

2022-11-11 00:59:43    Backup job [1341137] completed. Client [CLIENT], Agent Type [Virtual Server], Subclient [default], Backup Level [Incremental], Objects [613], Failed [0], Duration [01:59:31], Total Size [589.97 MB], Media or Mount Path Used [[MA] /ds2/CVLT02, [MA] /ds1/CVLT01].    126    Occurrence

2022-11-10 00:54:33    Backup job [1338682] completed. Client [CLIENT], Agent Type [SQL Server], Subclient [default], Backup Level [Transaction Log], Objects [3], Failed [0], Duration [00:02:01], Total Size [42.96 GB], Media or Mount Path Used [[MA] /ds1/CVLT01].    121    Occurrence

2022-11-09 04:59:46    Backup job [1336175] completed. Client [CLIENT], Agent Type [Virtual Server], Subclient [default], Backup Level [Incremental], Objects [4428], Failed [0], Duration [05:59:39], Total Size [4.30 GB], Media or Mount Path Used [[MA] /ds3/CVLT03, [MA1] /ds2/CVLT02].    109    Occurrence

2022-11-09 02:56:37    Backup job [1336524] completed. Client [CLIENT], Agent Type [SQL Server], Subclient [default], Backup Level [Transaction Log], Objects [3], Failed [0], Duration [00:00:56], Total Size [13.06 MB], Media or Mount Path Used [[MA] /ds2/CVLT02, [MA] /ds3/CVLT03].    136    Occurrence

2022-11-08 00:59:56    Backup job [1334105] completed. Client [CLIENT], Agent Type [Virtual Server], Subclient [default], Backup Level [Incremental], Objects [9934], Failed [0], Duration [01:59:49], Total Size [9.68 GB], Media or Mount Path Used [[MA] /ds2/CVLT02, [MA] /ds3/CVLT03].    183    Occurrence
 

If it actually were telling me that there were less jobs than typically succeeded, I would expect to see it tell me what the “norm” has been historically as well as what the low is for that day.  But that’s not what this is showing me.  Plus clicking on that report doesn’t really give you any more info that is useful, as it just shows the info in the alert email in a table view...

Sounds like the old “what it says it does” vs “what it should do” vs “what it actually does”

Assuming documentation is correct, then I don’t think this is a useful alert to have in our environment and I would prefer to just turn it off.  If there were an anomaly in the number of successful jobs, there would likely be an anomaly in the number of failed jobs also, or they are all “no run” or are all still pending in the job controller - so I don’t see the value of this default alert anyway. 

I posted the question here specifically because I did not want to open a ticket for this.

And since the built in alert doesn’t appear to be doing what it says it does, I’m going to just go ahead and not use it.  I’m no longer in the business of fixing Commvault software - I’m an end user now.  My job is to use the software and not to fix both the alert and the documentation - my manager is starting to ask questions like “why does every ticket you open go to dev” and “does this software ever work” (he prefers Netbackup)

So if you guys can go back to your labs and figure out what it’s supposed to do and make sure that the documentation is accurate, then I’d be glad to re-check once this is all fixed.  But I will not be opening a ticket for this, since I don’t see the value in what it says it’s supposed to do and I’m tired of deleting this e-mail every day from multiple CommCells.  Unchecking the box for “anomaly in number of succeeded jobs” is an acceptable solution here (although it should probably say “successful jobs” rather than “succeeded jobs,” but ok...).

Hey Mike --

I just noticed that even after turning off the option for Job Anomalies, we’re still seeing the alert that I referenced in the beginning:

The system detected events that are unusual in occurrence or frequency in CS001.     

Server    Event time    Event    Occurrence    Anomaly type
CS001
2022-12-06 00:59:09    Backup job [1398329] completed. Client [CLIENT], Agent Type [Oracle RAC], Subclient [(command line)], Backup Level [Full], Objects [14], Failed [0], Duration [01:23:26], Total Size [39.47 GB], Media or Mount Path Used [[MA001] /ds2/CVLT02, [MA002] /ds3/CVLT03].    156    Occurrence
Please click here for more details. 

The system detected events that are unusual in occurrence or frequency in CS001.

Server    Event time    Event    Occurrence    Anomaly type
ens21cvc001
2022-12-05 00:59:39    Backup job [1394241] completed. Client [CLIENT2], Agent Type [MySQL], Subclient [default], Backup Level [Full], Objects [374], Failed [0], Duration [12:59:28], Total Size [9.86 TB], Media or Mount Path Used [[MA003] /ds2/CVLT02].    149    Occurrence

Notice that it says “system detected EVENTS that are...”

So I’m pretty convinced this is coming from the Event Anomaly selection -- and it’s considering the event that job completed is anomalous.

Again, I’m not going through the pain of opening a ticket for this when I can turn off that alert criterion or create a rule in Outlook.  But it is annoying to see this alert multiple times per day from multiple CommCells, when there’s absolutely nothing to do - no action for me to take to fix it.  And it’s built-in and turned on by default.

Also I noticed that I get a lot of runtime anomaly alerts.  Is there a way to configure the thresholds?  I think that the machine learning/AI is too noisy and needs to back off a bit.  I mean it’s alerting me for a job that took 1:47 when the previous job took 1:15 -- not that big of a deal.  Or am I just stuck with what the system thinks the threshold should be?

Hi Rob,

Model tends to give preference to consistency. if past job’s runtimes are all very close then the expected fluctuations are less, and thus breakout are tagged early. You can make system less sensitive to this by adding a gxglobal param “AdminAlertSensitivity” with value as “Low”.

regards

Mrityunjay

I am too busy to dig in to the details for all’yall, @Mrityunjay Upadhyay  but I also have concerns about the usability of the Anomaly Alerts, as well as the RansomeWare alerts/reports.  I think they are poorly engineered features in name only in order to impress & assuage fear in the C-suite level people with empty security features, or maybe to check off a box for ransomeware insurance policies.  If Commvault doesn’t like my assessment, they can provide better documentation and training on how to configure and respond to their Anomaly and Ransomeware spam.  A technical webinar would go a long way here.

Hi Robert,

Which FR you are using. Are you also getting more event-based anomalies than desired? We are working on reducing the noise and will port it to your FR. Above, setting is for long running job and is hidden. We are unhiding it and adding some settings. Will add a doc link here once update is out.

regards

Mrityunjay

Hi Robert,

You and Rob are right, aux copy adds more dimensions and can get tagged incorrectly. We will exclude these by default and make auxcopy tracking opt in. Will expedite FR28.

regards

Mrityunjay

Hi Rob,

Happy new year.

We made fixes in SP28 HFP42. will backport it to 24. This will not alert on auxcopy and info events.

Regarding failure alert on system killed Aux Copies jobs after max run time; i am checking if these can be marked CWE. 

i will get back by tomorrow.

thanks, and regards

Mrityunjay

Thanks Mrityunjay!

I was able to tweak the Alert to add a Token Criteria Selection so that ERR CODE does not equals 19:1111 so that the alert didn’t come from this type of failure.

But I am waiting on another patch which will be Hotfix’d, so we will get these applied on top of SP24 once all of these patches are ready.

It seems that my change was effective, as I’m not getting the e-mailed alerts when the aux copy job is getting killed anymore. I changed my token criteria to “does not contains” instead of “does not equals” for the error code.  So it looks like this is now stopping the alert when the system kills the job, as desired.