Customer stories

How a leading healthcare enterprise turned WAN brownouts into actionable network intelligence

A leading healthcare enterprise deployed Selector to unify SNMP, syslog, NetFlow, synthetic monitoring, controller telemetry, and change-management context into a correlation-driven operational workflow, helping teams investigate degradation faster, validate configuration changes, and expand toward more automated incident response.

At a glance

Customer

Leading healthcare enterprise

Industry

Healthcare

Deployment

Hybrid observability deployment with centralized analytics and distributed remote collection

Primary objectives

Improve WAN and network visibility
Correlate issues across multiple telemetry sources
Reduce alert noise
Accelerate investigation of service-impacting conditions
Validate network configuration changes against approved change requests
Support broader operational consolidation across monitoring, ticketing, and log-forwarding workflows

Key technologies & capabilities

SNMP polling
Syslog analytics and forwarding
Synthetic monitoring with ThousandEyes
Controller and API-based integrations
NetFlow ingestion and analysis
Topology-aware workflows
Event correlation
Anomaly detection
Configuration awareness
ServiceNow-based change validation
ITSM and automation workflow integration
Wireless visibility across Cisco DNAC and Meraki

Business outcomes

Better visibility into network degradation
More contextual troubleshooting
Reduced monitoring silos
Improved operational prioritization
Support for tool consolidation
A scalable foundation for proactive operations
Automated ticketing
Broader workflow expansion

Challenge

Solution

Selector unified infrastructure telemetry, synthetic test data, controller-driven insight, NetFlow, syslog, and ServiceNow change context into a single operational layer built for correlation, topology-aware investigation, and change-compliance validation.

Impact

The deployment gave network teams a more connected view of path health, device behavior, event relationships, and authorized users versus unauthorized change activity, while also creating a foundation for tool consolidation, smarter ticketing workflows, and more proactive operations over time.

OVERVIEW

Seeing the network as a connected system, not a set of isolated tools

The customer operates a distributed network environment where WAN performance, wireless health, device behavior, flow data, event activity, and path conditions all contribute to service quality. In that kind of environment, traditional monitoring alone is not enough. Teams need a way to understand how telemetry from different systems relates to the same operational condition.

Selector was deployed to provide that operational layer. The platform brought together device metrics, syslog, synthetic monitoring, controller-based telemetry, NetFlow, and contextual infrastructure data into a unified environment for investigation and analysis. Rather than treating each signal type independently, the deployment was built to help teams see how path degradation, configuration activity, infrastructure events, and device-level conditions connected to one another.

This made the solution useful not just as a monitoring platform, but as a way to improve how the organization investigated network degradation, validated changes, prioritized issues, and moved from symptom detection toward probable root cause analysis. It also created room for broader operational expansion as new data sources, workflows, and integrations were added over time.

Key challenges

Fragmented telemetry across key network domains

Critical insight was split across SNMP, syslog, synthetic monitoring, NetFlow, controller platforms, and operational workflows, making it difficult to evaluate service-impacting conditions in one place.

Limited context for brownouts, path degradation, and config-related issues

Performance issues could be detected, but understanding probable root cause required teams to manually connect path behavior, device state, flow activity, and recent configuration changes across separate systems.

No clear way to validate network changes against approved requests

The customer needed better visibility into who changes what, when the change occurred, and whether the activity was authorized through an approved ServiceNow change request. Without that context, unauthorized changes could be difficult to identify during an outage or broader degradation event.

A troubleshooting and ticketing model that did not scale

As the environment grew, manual correlation across tools became less efficient. The customer also wanted to reduce ticket noise and move toward a model where Selector-generated context and incidents could play a bigger role in troubleshooting and operational response.

THE CHALLENGE

When path degradation is visible everywhere and understandable nowhere

The customer already had access to substantial operational data, but the problem was not data scarcity. The problem was context. WAN conditions, wireless visibility, device health signals, flow records, log activity, synthetic test results, and ticketing workflows were spread across separate systems, making it difficult to determine which symptoms belonged together and which ones mattered most during an active issue.

That gap was especially important during brownouts, performance degradation, and suspected config-related incidents. In these scenarios, no signal tells the full story. Interface telemetry may show stress, ThousandEyes may show latency or path issues, NetFlow may reveal traffic concentration, syslog may capture change events, and ServiceNow may hold the approval context, but without correlation, those signals remain fragmented. Teams still have to assemble the broader picture manually.

As the environment scaled, that workflow became harder to sustain. Engineers needed a way to move beyond tool-by-tool troubleshooting and into a model where device metrics, path intelligence, event behavior, change validation, and infrastructure context could be analyzed together in a more operationally useful form.

THE SOLUTION

Unifying path, device, event, flow, and change context in one operational layer

Selector was deployed as a hybrid observability platform with centralized analytics and distributed remote collection. This gave the customer the flexibility to collect telemetry close to the source while still presenting a unified view for central operations teams. The architecture supported day-to-day investigation without requiring a single rigid collection model across the environment.

The platform ingested multiple telemetry types, including SNMP polling, syslog, NetFlow, synthetic monitoring, controller and API-based signals, and broader operational context. Common integrations included ThousandEyes for synthetic visibility and wireless-relevant data sources such as Cisco DNAC and Meraki, allowing path health, event behavior, application experience, and infrastructure state to be analyzed together rather than in isolation.

One of the most important use cases developed in this environment was configuration change compliance. Selector ingests configuration-related events from device syslogs, extracts change timing and user context, and enriches those events with change-request data pulled from ServiceNow. When a config change is detected, Selector can use SSH to retrieve the latest device configuration, compare it to the previous known version, identify what changed, and determine whether the activity falls within an approved change window. That allows teams to answer three critical questions quickly: who made the change, when it happened, and whether it was authorized.

That workflow turned configuration awareness into something operationally useful. Instead os simply knowing that a device changed, teams could evaluate whether the change was compliant or non-compliant and assess whether unauthorized activity may have contributed to a larger incident. This gave the customer a more direct path from suspicious change activity to probable root cause analysis.

Selector also supported broader workflow evolution beyond core monitoring. In addition to consuming syslog for its own telemetry and analytics, the platform was positioned to forward syslogs downstream to the customer’s tools for forensic and analytical use cases, opening the door to placing incumbent forwarding infrastructure, such as syslog-ng, with a more consolidated approach.

NetFlow was another important part of the deployment. Selector provided flow-level insight into top protocols, top destination ports, and top talkers in the environment, helping the customer understand where traffic concentration and chatter were occurring. That visibility was valuable enough to support the decision not to renew an incumbent NetScout deployment.

What Selector enabled

SNMP, syslog, and NetFlow in the same investigative workflow

Selector brought together device metrics, log activity, and flow data so teams could analyze network behavior in context instead of across disconnected tools.

Synthetic path visibility with operational context

Integrations such as ThousandEyes added path-level insight that could be evaluated alongside infrastructure telemetry, event activity, and service-impacting conditions.

Wireless and controller-based enrichment

Selector incorporated wireless-relevant visibility from Cisco DNAC and Meraki to strengthen investigation across branch, campus, and user-impacting network conditions.

Syslog forwarding beyond core telemetry ingestion

Selector supported a broader syslog-forwarding use case that could route logs to downstream customer tools for analysis and forensics while reducing reliance on legagy forwarding infrastructure such as syslog-ng.

Correlation across signal types

Metrics, logs, synthetic tests, and controller signals could be evaluated together to help isolate likely causes instead of only reporting symptoms.

Workflow alignment with ITSM and operational expansion

The deployment created a more usable path from detection to investigation while establishing a foundation for tighter ServiceNow integration, ticket-noise reduction, and broader workflow automation over time.

WHY THIS APPROACH MATTERED

Making observability useful at the moment of investigation

The technical value of this approach was not just broader ingestion. It was the ability to make different signal types operationally meaningful together. In large network environments, teams rarely solve problems by looking at metrics alone or logs alone. They solve them by understanding relationships across path behavior, wireless conditions, device state, traffic flows, config activity, tickets, and infrastructure context.

Selector helped create that relationship layer. By combining distributed collection with centralized analysis, the platform made it possible to preserve telemetry depth while reducing the operational friction of moving across separate systems. That meant investigations could start from a more complete picture of the issue instead of requiring manual assembly of evidence from multiple sources.

This also mattered from an architecture standpoint. The deployment supported enterprise observability goals without forcing the customer into a narrow collection model, while also creating a path toward broader workflow consolidation across flow analysis, syslog forwarding, correlation, and incident creation.

OUTCOMES

Making network signals more actionable for operations

The deployment gave the customer a stronger way to understand network degradation across a distributed environment. By bringing together telemetry from multiple operational sources and improving how those signals were correlated, Selector made it easier for teams to investigate brownouts, path issues, config-related incidents, and service-impacting events with clearer context.

That changed the operational workflow. Instead of relying on separate tools to piece together device health, path quality, traffic behavior, change activity, and event data, teams could work from a more unified operational layer. This improved visibility into where issues were developing, how they were related, and what infrastructure conditions were most relevant to investigation.

Just as importantly, the deployment established a stronger foundation for proactive operations and consolidation. Selector expanded from core observability into adjacent use cases such as config compliance, NetFlow insight, syslog forwarding, and future ticketing workflows, illustrating how the platform could replace or reduce reliance on legacy tools over time.

Results snapshot

Hybrid collection with centralized analysis

Selector combined distributed telemetry collection with a unified platform for investigation and operational visibility.

SNMP, syslog, NetFlow, and synthetic monitoring together

The deployment unified core network telemetry types in a single operational workflow built for faster, more contextual troubleshooting.

Config compliance built into network operations

Selector enabled the customer to validate configuration changes against approved ServiceNow requests and flag non-compliant activity as a possible root cause during incidents.

Common integrations such as ThousandEyes, Cisco DNAC, and Meraki

Path, application, and wireless-relevant signals could be correlated with infrastructure telemetry and event activity in one place.

Tool consolidation across legacy workflows

The deployment supported replacement or reduction of incumbent tools across NetFlow analysis, event correlation, and syslog forwarding use cases.

Foundation for broader operational automation

The deployment established a scalable base for stronger ticketing workflows, richer integrations, and more proactive operations as the deployment expands.

LOOKING AHEAD

Extending the value of unified observability

This deployment established a strong technical base for continued growth in network observability. With distributed collection, multi-source telemetry, and unified investigation workflows in place, the customer is well-positioned to expand coverage, deepen integrations, and support more advanced analytics over time. Current and planned direction includes broader data-source expansion, workflow integrations, and richer operational outputs across tools and teams.

As the environment evolves, that foundation can support broader use cases across performance monitoring, event analysis, reporting, collaboration, and automated response. The customer is currently working on continued ServiceNow workflow development, correlation exports into Splunk, visualization in Grafana for critical-site views, Microsoft Teams integration, and potential automation workflows via MCP-connected expansion.

What began as an effort to improve visibility into degradation and probable root cause has grown into a broader operational platform that supports expansion into new use cases, helps reduce dependence on incumbent tools, and creates a more practical path toward intelligent, proactive operations.

How a Global Hospitality Enterprise Unified Infrastructure Operations Across 7,000+ Properties

See how a global hospitality enterprise unified infrastructure visibility across 7,000+ properties to accelerate troubleshooting and improve operations.

How a Large Healthcare Organization Unified Clinical Infrastructure and End-User Operations

Learn how a large healthcare organization correlated infrastructure, application, and user experience data to accelerate investigations and improve operations.

How a Leading Healthcare Enterprise Turned WAN Brownouts into Actionable Network Intelligence

Discover how a healthcare enterprise unified network telemetry, validated configuration changes, and streamlined troubleshooting with Selector.