Powered by Zoomin Software. For more details please contactZoomin

Flowmon ADS User Guide

Table of Contents

Stream Processing

Save PDF
Save selected topicSave selected topic and subtopicsSave all topics
Share
Share to emailCopy topic URL
Print
  • Last Updated: April 5, 2026
  • 2 minute read
    • Flowmon Products
    • Flowmon Anomaly Detection System
    • Documentation

Flowmon ADS module version 11 contains a new anomaly detection engine. It uses stream processing, which means that the flow is processed immediately as it is received by the engine. This approach allows you to detect network anomalies much faster and therefore informs you about incidents in the network sooner than ever before. Also, the quality of detection is increased because stream processing allows you to analyze the flow data over a longer time period. Stream processing brings some new concepts that are referenced in the user guide and this chapter explains them.

Event trigger and event update

When a network anomaly is detected in the monitored network, an event is created. Each event is defined by the five key attributes: the source (IP address that caused the anomaly), the event type, its subtype (see Common Features for more information), the data feed that was a source of flow data for the detection and by the method instance that detected the event. The term event trigger is used when a network anomaly is detected and the event with the same attributes is not currently active - in this case, a new event is created. On the other hand, when the event with such attributes is currently active, the new event is not created but the status of the existing one is updated with current information - in this case, the term event update is used.

Inactive timeout and update interval

The inactive timeout and update interval are tightly related to the event triggers and event updates. The inactive timeout allows you to set the time interval that affects the closing of an active event. If an anomaly is not detected for the time specified by this parameter (which means that the anomaly is not present in a network anymore), the event is considered to be finished. The update interval specifies how often information about an active event is updated in the GUI (for example, every 5 minutes). Values of these parameters can be adjusted in the Settings → System settings → Storage Settings (see Data Storage Settings for additional information).

Duration of the detected event

Every event has a duration that specifies the time interval for which the anomaly was active in the network. When a specific time range is selected in the Analysis chart (see Analysis for more information), the events that were active in the respective range are displayed.

TitleResults for “How to create a CRG?”Also Available inAlert