Creating thresholds and notifications

Thresholds are used to receive notification of:

  • potential problems on network devices
  • excessive utilization on interfaces
  • devices that appear to be down
  • violation of algorithms in flow analytics

This guide will demonstrate how to properly set thresholds and set up notifications based on violations.

Setting the global threshold

Scrutinizer relies the SNMP poller to determine the link speed of an interface. These values are used to calculate interface utilization percentages.

  • Link speed is commonly referred to as ifSpeed
  • The link speed can also be changed manually per interface

When the interface utilization percentage reaches a specific level, an alarm is triggered to indicate high utilization. The default utilization percentage set in Scrutinizer is 90%. Depending on the link speed(s) received from the SNMP poller, admins may want to increase or decrease the values obtained from polling the device. To change the Global threshold for utilization, navigate as follows:

Admin Tab>Settings>System Preferences

  1. Scroll down to Threshold – Utilization
  2. Edit the percentage as needed
  3. Click Save

Applying a notification to the global threshold

Once the ifSpeed is set and the global threshold is set, notification can be applied. This notification can be in a number of forms (email, logfile, syslog, snmptrap, script, and auto-acknowledge), and will send an alert when the threshold is breached. To add a notification to the global threshold policy, navigate to:

Admin Tab>Definitions>Policy Manager

  1. Enter ‘Interface Exceeded’ in the search field
  2. Click the Search button
  3. Then click on the ‘Scrutinizer: Interface Exceeded Threshold’ Policy when it’s displayed
  4. Next, click on the Assign button, select the Notification profile previously set up (see below to set up a Notification profile), then click Save

How to create a notification that is sent via email


I want to run a default report that monitors total bandwidth on a particular interface.

When it exceeds a threshold that I will specify, I want to have it send an email to me.

Creating the notification profile to use

Notification profiles can be created once and applied to multiple policies. Notification methods include Email, Logfile, Syslog, SNMPTrap, Script and Auto Acknowledge. Enter the necessary data and select additional details from the Available Variables for Message list to ensure the desired information is included in the alert.

If multiple notification alerts are added to the same notification profile, the order of notification can be re-ordered by entering lower or higher numbers to the left of each notification and clicking the Save button.


  • Email: send an email alert

    • Enter the email address the alert is destined for in the “To” field


An email server must be configured in Scrutinizer for these alerts to function. If the email server has not yet been configured in Scrutinizer, click the “Configure” button to set that up.

  • Logfile: add alert message to a file

    • Enter log file name with the absolute file path of:



Log files must be placed at this location.

  • Syslog: send syslog alert to Host address.

    Required fields are:

    • Host: Target server address
    • UDP Port: Target server port (default 514)
  • Priority
    • Facility
  • SnmpTrap: send snmptrap alert to Host address.

    Required fields are:

    • Host: Target server
    • Community String
    • UDP Port
    • Enterprise OID
    • Generic ID
    • Specific ID
    • Binding OID
    • From Host
  • Script: trigger action defined in Script.

    Required fields are:

    • Script: /home/plixer/scrutinizer/files/{}
    • Note: Script must be placed in this folder and absolute path must be included in the Script field.
    • Command-line Arguments: Variables to include in the script from the Available Variables list below.
  • Auto Acknowledge: automatically acknowledge policy alarms

    • Policy To Acknowledge: select target policy from dropdown list

Available variables for message

%m Message
%v Violator Address
%h Host
%p Protocol
%pol Policy Violated
%notes Policy Notes
%id Alarm ID

Adding a threshold that sends an email notification

Now that a notification profile has been set up, a report which will trigger an email alert can be configured. Adding a threshold to a report requires that the report first be Saved.

Use the following steps to create a Saved Report.

  1. Go to the Status tab to bring up the Top Interfaces view

  2. Click on the interface name for the reports available list

  3. Select Top Reports > Applications Defined from the report menu. This will launch a report for the last 24 hours.

  4. To save this report:

    1. In the upper left, enter a name in the report text box
    2. Click the Save icon above the report name
  5. Next, in the Saved Report, click the Filters/Details button on the left. Click the Threshold tab in the modal. The threshold will use the parameters already defined in the report (Total vs. Rate, Bits or Bytes, etc.)

  6. Enter a threshold for the Total amount of traffic reported, or Per Row, which tells Scrutinizer to look at each line in the report table and match it against the threshold. This is useful for applying thresholds to Users or Applications.

  7. After completing the fields in the modal, click the Save Threshold button and another window will open prompting the user to select a Notification Profile.

  8. Click the dropdown list that says ‘None’ and select the profile that was created earlier, then click Save.

  9. To create a new Notification profile, click the Manage Notifications button.

  10. Notice that the Notification Profile was added to the Threshold.

With the threshold set, any time traffic on the specified interface exceeds the value set, an email alert including the specific violation information will be sent.

If any assistance is needed, please contact us.