Alerts for Capture Sensor data

Overview

The alerting engine for flow metrics coming from sensor capture acts on metrics filtered either by a child zone or an application. The metric to alert on is then selected by "layer"
Currently there are 25 application layers supported in the capture data alerting

Layers supporting alerts

arp
bootp
citrix
citrix_channels
databases
dce_rpc
dns
email
ftp
http
icmp
ipsec
kerberos
ldap
non-ip
other-ip
rdp
smb
socks5
ssh
tcp
tls
udp
vnc
voip

These eight layers do currently not support any alerting policies

cifs
flows
sql
transport
dce_rpc
dhcp
http2
ntlm

Care should be taken to only create alerts on metrics that are supported in the respective application layer, the user interface and APIs currently does not limit all selection based on what is supported in the alerting engine, but instead expose all fields in the PVQL database for each application.
An upcoming patch release of Cisco Provider Connectivity Assurance (formerly Skylight performance analytics) will filter in the user interface so that unsupported policy conditions are prevented from being applied.

Metrics not supported for alert policies

Below is the list of unsupported metrics for alert policies within each application layer

Common unsupported alerting metrics for all layers

metric	comment
application.category.id	ID fields are generally not supported for alerts
application.category.name	Name fields are generally not supported for alerts

"BOOTP" layer unsupported metrics for alerts

metric	comment
client.ip
dest.ip
gateway.ip
ignored_server.ip
ip.family
nameserver1.ip
nameserver2.ip
next_server.ip
ntp.ip
requested_ip
router.ip
server.ip
source.ip
subnet.ip
uuid

"Citrix Channels" and "Citrix" layers unsupported metrics for alerts

metric	comment
client.payload.pdus
client.payload.ratio
dest.payload.pdus
dest.payload.ratio
payload.pdus
payload.ratio
server.payload.pdus
server.payload.ratio
source.payload.pdus
source.payload.ratio

"Databases" layer unsupported metrics for alerts

metric	comment
query_256
system

"DCE RPC" layer unsupported metrics for alerts

metric	comment
dcom.arguments
dcom.arguments_lengths

"DNS" layer unsupported metrics for alerts

metric	comment
resolved_ip

"Email" layer unsupported metrics for alerts

metric	comment
attachments.sha256
recipients

"FTP" layer unsupported metrics for alerts

metric	comment
ftp.file.sha256
ftp.reply_codes
ftp.reply_codes.counters

"HTTP" layer unsupported metrics for alerts

metric	comment
content_description
content_disposition
domain.primary
domain.short
domain.toplevel
error.hits	use page.errors
http.version.major
http.version.minor
referrer
request.payload.sha256
response.category
response.payload.sha256
response.status.category
url.base
url.path

"SMB" layer unsupported metrics for alerts

metric	comment
smb.change_time
smb.create_options
smb.creation_time
smb.delete_on_close
smb.desired_access
smb.file_attributes
smb.file_info_class
smb.file_info_class.code
smb.info_type
smb.last_access_time
smb.last_write_time
smb.new_file_name
smb.sha256

"TLS" layer unsupported metrics for alerts

metric	comment
domain.primary
domain.short
domain.toplevel
tls.version.major
tls.version.minor

"VNC" layer unsupported metrics for alerts

metric	comment
vnc.client.version.major
vnc.client.version.minor
vnc.dest.version.major
vnc.dest.version.minor
vnc.server.version.major
vnc.server.version.minor
vnc.source.version.major
vnc.source.version.minor

"VoIP" layer unsupported metrics for alerts

metric	comment
callee.hostname
caller.hostname
client.payload.pdus
dest.payload.pdus
mos
payload.pdus
server.payload.pdus
server.signalization.last_code
source.payload.pdus

© 2025 Cisco and/or its affiliates. All rights reserved.

For more information about trademarks, please visit: Cisco trademarks
For more information about legal terms, please visit: Cisco legal terms
For legal information about Accedian Skylight products, please visit: Accedian legal terms and tradmarks