Baselines
Zero tuning.
Learns your normal.
Your game server and your API gateway have different normal traffic. Flowtriq builds a separate baseline per node, learns your traffic baseline (99th percentile) over 5 minutes, and sets the threshold at 3x that level, then keeps updating it as your traffic changes. No spreadsheets, no manual tuning, no stale thresholds.
How It Works
Rolling baseline with continuous adjustment
The FTAgent maintains a 300-sample rolling window: that's 300 seconds, or 5 minutes of traffic data. Every second, the oldest sample is removed and the new reading is added. The 99th percentile (the level your traffic almost never exceeds under normal conditions) is recomputed every 30 seconds.
The detection threshold is set at 3x the 99th percentile. This gives enough headroom for legitimate traffic spikes (burst traffic, deployments, CDN cache misses) while being tight enough to catch real attacks within their first second of elevation.
The threshold is visible in the Console alongside your current avg, p95, and p99, so you can always see exactly why an alert did or didn't fire.
| Rolling window | 300 samples (5 minutes) |
| Baseline metrics | Packets and bandwidth (separate) |
| Threshold formula | 3x 99th percentile of rolling window |
| Update frequency | Every 30 seconds |
| Time to first baseline | 5 minutes after agent start |
| Manual override | Yes, per-node, via Console or API |
IFACE eth0
WINDOW 300 / 300 samples (full)
─── PPS Baseline ────────────────
Average 1,087 PPS
p95 2,340 PPS
p99 4,102 PPS
Threshold 12,306 PPS (3× p99)
─── BPS Baseline ────────────────
Average 38 Mbps
p99 144 Mbps
Threshold 432 Mbps (3× p99)
Last updated: 12s ago
_
FAQ
Common questions about baselines
What happens during the first 5 minutes before the baseline is full?
Before the 300-sample window is full, Flowtriq uses the samples collected so far to compute a provisional threshold. The agent shows a "learning" status in the Console during this period. Detection is active but the threshold may be slightly less precise until the full window is collected. After 5 minutes, the baseline stabilizes.
Can I use a fixed threshold instead of the dynamic baseline?
Yes. Per-node manual threshold overrides are available in the Console and via the API. Setting a manual threshold disables the automatic baseline for that metric on that node. You can clear the override at any time to return to automatic baseline management. Both PPS and BPS thresholds can be overridden independently.
What if my server has very bursty legitimate traffic?
The baseline threshold is designed to accommodate normal bursts and only fires when traffic exceeds 3x your 99th percentile. If your server has regular large bursts that are triggering false positives, you can either set a manual threshold, widen the multiplier via the API (e.g., 4x or 5x), or use maintenance windows during known burst periods.
Does the baseline adapt after an attack?
Yes, but with protection. The rolling window excludes samples from the period of a detected incident to prevent an attack from "teaching" the baseline that high traffic is normal. Once an incident resolves, the window resumes filling with clean traffic samples.
Related Features