Alerts
- Last Updated: April 5, 2026
- 7 minute read
- Flowmon Products
- Flowmon
- Documentation
The Flowmon Monitoring Center allows you to automatically watch predefined network abnormalities and trigger specific action when they appear. These watches are called alerts and they are defined using filters of the selected profile, conditions of execution, type of trigger, and action to be performed. Alerts are available for the 5m, 1m, and 30s profiles. The 1m and 30s profiles' alerts are evaluated every 30s, and similarly, the 5m profiles' alerts are evaluated every 5 minutes.
The list of all alerts and their statuses is displayed on the Alerts page. Details about the particular alerts can be displayed by clicking Details.
Creating New Alert
You can create a new alert by clicking New alert and filling in the New alert form.
-
Profile - Select the parent profile.
-
Channels - Select channels with data relevant to the alert. The All option means all channels including those added in the future.
-
Filter - Enter the filter of the alert related to the parent profile. Conditions of execution depend on this filter.
-
Conditions of execution - Conditions of execution are defined either over a list of flows (conditions based on total flow summary) or over flow statistics (conditions based on individual Top 1 statistics) and they can be connected together (up to 6 conditions). You can add a new condition by clicking the plus icon on the right side of the condition parameters. At the beginning of the second and all the following conditions, it is possible to choose a connective used to connect the condition with the previous one (using and/or logic).
Conditions of execution can be defined, for example, for the number of flows, packets, bytes, or NPM metrics going through the filter. This number is compared either with absolute value, with the average value for the selected time interval, or with the weekly baseline. This allows you to define adaptive filters for easy detection of peaks.
The weekly baseline is applied only if the profile history is at least 7 days long. The traffic amount for the current 5 minutes is compared with the average value for the same five minutes on the same day of weeks (for example, the value for Monday 12:10 is compared to previous Mondays 12:10). The longer the profile history is, the better results this method provides. The maximum length of the history is 28 days (that is, four weeks).
Also, it is possible to define the conditions of execution over Top 1 statistics.
- Trigger - Whenever the conditions of execution are satisfied, the selected action is triggered. According to your needs, it is possible to set the action to trigger Each time the conditions are satisfied, Once only,or Once only while the condition is valid. Furthermore, it is possible to set that repeated satisfaction of the conditions is needed to trigger the action and when the action is triggered, you can also disable its execution for several cycles. If the trigger is set to Once only, the condition is invalidated after each trigger and you must activate it again by clicking Rearm in the alerts list.
-
Action - Defines an action to be performed when the alert triggers. Usually, it is the sending of an email, executing a user-defined script (using Call plugin: runscriptplugin), sending a syslog message in CEF format (using Call plugin: syslogplugin), or sending SNMP trap (using Call plugin: snmptrapplugin). It is possible to choose more than one action. If you select No action, the rest of the actions are unchecked and the alert is inactivated.
- When defining an email action, the Recipient field can contain one or more email addresses. Email addresses have to be separated by comma or semicolon characters.
Alerts Based on Shadow Profiles
There are some limitations when creating alerts based on a shadow profile. The limiting factor is the granularity of a parent profile used for the shadow profile definition. See the following table to find out when it is possible to create an alert based on a shadow profile.
Shadow's profile parent granularity
| 30s | 1m | 5m | |
| Alert on a 30s shadow profile | ✅ | ✅ | ❌ |
| Alert on a 1m shadow profile | ✅ | ✅ | ❌ |
| Alert on a 5m shadow profil | ✅ | ✅ | ✅ |
User-defined Scripts
As an action for alert, a user-defined BASH script can be run (when the Run script box is checked). The script can be uploaded by pressing the button Browse. Specify the script parameters in the Script parameters field.
If the alert data (name, time, conditions, measured values) are needed in the user script, it is necessary to include mandatory code (see the following example script) which sets all alert variables.
The following user script example saves the alert name, timeslot and the total number of bytes/packets/flows to the file defined by input parameter f.
Example of a user-defined script
# start of mandatory part of source code
. /usr/local/bin/fmc_alert_functions
if [ -L $0 ] ; then
DIR=$(dirname $(readlink -f $0)) ;
else
DIR=$(dirname $0) ;
fi ;
input_json=$(cat "$DIR/pluginscript_input")
parse_alert_data "$input_json"
# end of mandatory part of source code
# Initialize our own variables
parameter_filename=""
# Processs input parameters
while getopts "f:" opt; do
case "$opt" in
h|\?)
echo "invalid␣option␣$opt"
exit 1
;;
f) parameter_filename=$OPTARG
;;
esac
done
shift $((OPTIND-1))
[ "$1" = "--" ] && shift
echo "======ALERT␣INFO======" > $parameter_filename
echo "Alert␣name:␣$ALERT_NAME" >> $parameter_filename
echo "Alert␣timeslot:␣$ALERT_TIMESLOT" >> $parameter_filename
echo "======ALERT␣DATA======" >> $parameter_filename
echo "Summary␣bytes:␣$SUMMARY_BYTES" >> $parameter_filename
echo "Summary␣packets:␣$SUMMARY_PACKETS" >> $parameter_filename
echo "Summary␣flows:␣$SUMMARY_FLOWS" >> $parameter_filename
List of variables
ALERT_BASED_ON=Alert based on "summary" or "TOP1" statistic
ALERT_NAME=Alert's displayed name
ALERT_TIMESLOT=Timeslot
INTERNAL_NAME=Alert's identifier (UUID)
#Summary data
SUMMARY_BYTES=Number of bytes
SUMMARY_PACKETS=Number of packets
SUMMARY_FLOWS=Number of flows
SUMMARY_BPS=Bits per second
SUMMARY_PPS=Packet per second
SUMMARY_BPP=Bits per packet
#Top1 data
TOP1_DATA=Top1 data
#Conditions and its values
CONDITION_COUNTER=Number of conditions
CONDITION1_WHAT=Condition by flows/packets/bytes/flows_per_second/packets_per_second/bits_per_second
CONDITION2_WHAT
CONDITION3_WHAT
CONDITION4_WHAT
CONDITION5_WHAT
CONDITION6_WHAT
CONDITION1_COMPARE_BY=Comparision operator and value to compare
CONDITION2_COMPARE_BY
CONDITION3_COMPARE_BY
CONDITION4_COMPARE_BY
CONDITION5_COMPARE_BY
CONDITION6_COMPARE_BY
CONDITION1_ACTUAL_VALUE=Current measured value
CONDITION2_ACTUAL_VALUE
CONDITION3_ACTUAL_VALUE
CONDITION4_ACTUAL_VALUE
CONDITION5_ACTUAL_VALUE
CONDITION6_ACTUAL_VALUE
CONDITION1_AVERAGE_VALUE=Average value for X minutes/hours/days (only for average values)
CONDITION2_AVERAGE_VALUE
CONDITION3_AVERAGE_VALUE
CONDITION4_AVERAGE_VALUE
CONDITION5_AVERAGE_VALUE
CONDITION6_AVERAGE_VALUE
CONDITION1_RESULT=How the condition was evaluated "True" or "False"
CONDITION2_RESULT
CONDITION3_RESULT
CONDITION4_RESULT
CONDITION5_RESULT
CONDITION6_RESULT
CONDITION1_BINARY_OPERATION=Binary operation of condition "OR" or "AND"
CONDITION2_BINARY_OPERATION
CONDITION3_BINARY_OPERATION
CONDITION4_BINARY_OPERATION
CONDITION5_BINARY_OPERATION
CONDITION6_BINARY_OPERATION
To test the correct function of the script, click Save and test script. A window pops up with information about each performed script action.
Alert Status
The alert status is displayed in the Status column of the alerts table and it is also visible in the top left corner of the alert details dialog. The status can be one of the following:
| Status | Description |
|---|---|
| 🟦 Disabled | This alert is not active and it is not evaluated. |
| 🟩 Armed | This alert is active and its conditions are evaluated each cycle. |
| 🟨 Armed - 1 or 3 cycles fulfilled | This alert is active and is evaluated each cycle. The last overall condition was true but needs 3 conditions (definable) in a row to fire the trigger. So far, the condition was satisfied only once. |
| 🟥 Fired | This alert is active and it is evaluated each cycle. The trigger just fired in the last cycle and executed the action assigned to this alert. |
| 🟥 Fired - finished | This alert fired once only and it is no longer active. The alert needs to be rearmed manually. |
| 🟪 Blocked - cycle 1 of 2 | This alert is active but blocked for 2 cycles (definable) after the trigger fired. Currently one of the two blocked cycles is already over. |
Alert Details
After clicking Details in the alerts list, the following form shows up. It displays details of the selected alert.
In the upper part of the form, there is the current status of alert, date and time of its last trigger, state of conditions evaluation, and action to be performed. The bottom part of the form contains a chart showing the flow of average network traffic values. Values in the chart can be used to make a more exact specification of conditions of execution. The vertical cursor (vertical lines) in the chart marks when the trigger was lastly triggered. The 30s alert chart has a 30s granularity, and the 5m alert chart has a 5m granularity.
The table under the chart displays the average values of the network traffic measured during the last time slot in flows, packets, and bytes. The radio buttons above the tables can be used to switch the chart units.
For instance, the 30m average value is calculated from the last 6 timeslots. Each timeslot covers 5 minutes, so 6 * 5m = 30m. The Sum of flows within these timeslots is divided by 6 and the result is presented as a 30-minute average. This value is then compared with the current 5-minute timeslot according to the alert rule.