Cluster capacity is insufficient to handle current flow rate.
Article ID: 389839
Updated On:
Products
Issue/Introduction
This alarm is raised when the SSP platform detects that the existing cluster capacity is inadequate to process the current volume of flow data. It is an information alarm.
Environment
SSP 5.1
Cause
The alarm indicates that the number of worker nodes deployed is insufficient for the ongoing flow volume. To prevent system overload, SSP limits the flow collection per transport node by applying flow throttling. The default setting on the host is 50,000 short/terminated flows per 5 minutes and 25,000 long/active flows per 5 minutes per transport node. This will be reduced to a smaller value based on the available worker nodes. The SSP platform continuously monitors flow rates relative to cluster capacity and triggers this alarm whenever the deployment falls short of the recommended sizing.
Resolution
There are two remediation options.
1. Use the sizing tool to check how many worker nodes are needed to handle the current volume of flows.
- Navigate to System→Overview→Flow Processing Capacity
- Calculate the cluster size requirement. The sizing tool should reflect the total number of worker nodes required along with services to scale out.
- Go to the SSPI UI to add the recommended number of worker nodes. Based on available resources, the worker nodes will be provisioned shortly. Then, navigate to the SSP UI under System → Platform & Features to scale out the services.
2. Deactivate data collection on certain standalone hosts or clusters to reduce the volume of flow data.
- Navigate to System→Host Capacity.
- Analyze flow metrics ( un-exported and total flows) for each cluster and standalone host.
- De-activate data collection on selected standalone hosts or clusters to reduce the number of incoming flows.
Feedback
