I have stood up a lab with a server using LibreNMS to pull stats every 5 minutes for a few network devices (Juniper and Brocades mostly) and forward the collected data to an influxdb. I get a lot of data every 5 minutes, but what I am wanting to concentrate on is the interface bandwidth usage. I have ifOutOctets_rate and ifInOctets_rate data points which appears to be the byes/second as calculated from LibreNMS as well as the raw interface counters.
My initial goal is to setup influxdb and Kapacitor to learn the history of each interface's usage, and detect any anomalies. The anomalies I would expect to detect is when traffic "maxes out" on an interface, or drops to zero during business hours. An interface is considered "maxed out" when it reaches or exceeds the maximum used bandwidth seen in the past 7 days and maintains that rate for at least 15 minutes (3 polling cycles).
I am a total newbie at influxdb/kapacitor and have never done anything with anomaly detection, so I figured I would learn by doing. Now that I have setup the lab and gotten the components working and data flowing, I am not sure where to go next.
I have attempted to use the Holt-Winter function in Kapacitor, but I think I wandered into "prediction". It seemed like I would have to have a "prediction" to compare my live data to. But it only seemed to work on a 24 hour scale, and even then was going to need some tweaking as I learned more about the algorithm and how to apply it to the data.
That was when I thought I should see if anyone has any pointers. I have a hard time finding any examples on influxdb and network traffic data. This is my first foray into these tools as well as "math" this complicated. I am suspecting that I will need to perform a TICK script to shunt the in/out Octet data (in batches?) to an external process, which will process it and possibly save the results back to influxdb for visualization. (At least while I am learning it.)
My main question is if someone can cite a "network bandwidth" specific example of how to setup kapacitor to process history and understand a 24 hour cycle over the course of 7 days. (Since weekends/holidays will have a noticeably different pattern than normal business days.) I'm not against using other tools/methods, but would prefer to stick with Kapacitor and Influxdb to help learn the theory while I am learning this tool. The TICK script would just be written to a file when the system detects a bandwidth anomaly and when it detects it has ended.
Finally, I would also ask if the approach I describe above is practical? I ask in the sense that I am not grossly over estimating the capability of these tools nor needlessly over complicating my learning scenario?
