The alerting engine for flow metrics coming from sensor capture acts on metrics filtered either by a child zone or an application. The metric to alert on is then selected by "layer" Currently there are 25 application layers supported in the capture data alerting
Layers supporting alerts
arp
bootp
citrix
citrix_channels
databases
dce_rpc
dns
email
ftp
http
icmp
ipsec
kerberos
ldap
non-ip
other-ip
rdp
smb
socks5
ssh
tcp
tls
udp
vnc
voip
These eight layers do currently not support any alerting policies
cifs
flows
sql
transport
dce_rpc
dhcp
http2
ntlm
Care should be taken to only create alerts on metrics that are supported in the respective application layer, the user interface and APIs currently does not limit all selection based on what is supported in the alerting engine, but instead expose all fields in the PVQL database for each application. An upcoming patch release of Cisco Provider Connectivity Assurance (formerly Skylight performance analytics) will filter in the user interface so that unsupported policy conditions are prevented from being applied.
Metrics not supported for alert policies
Below is the list of unsupported metrics for alert policies within each application layer
Common unsupported alerting metrics for all layers
metric
comment
application.category.id
ID fields are generally not supported for alerts
application.category.name
Name fields are generally not supported for alerts
"BOOTP" layer unsupported metrics for alerts
metric
comment
client.ip
dest.ip
gateway.ip
ignored_server.ip
ip.family
nameserver1.ip
nameserver2.ip
next_server.ip
ntp.ip
requested_ip
router.ip
server.ip
source.ip
subnet.ip
uuid
"Citrix Channels" and "Citrix" layers unsupported metrics for alerts
.svg?sv=2022-11-02&spr=https&st=2024-11-22T03%3A29%3A20Z&se=2024-11-22T03%3A39%3A20Z&sr=c&sp=r&sig=lzOnJGb0y9M0gIwAp4X1g8Rc0juBAMUc66DVEtCVrbw%3D){kind=logo}
