Netcool/OMNIbus Insight Pack

The Netcool/OMNIbus Insight® Pack enables you to view and search both historical and real time event data from Netcool/OMNIbus in the IBM® Operations Analytics - Log Analysis product. This documentation is for Tivoli® Netcool/OMNIbus Insight Pack 1.3.0.2.

The Insight Pack parses Netcool/OMNIbus event data into a format suitable for use by Operations Analytics - Log Analysis. The event data is transferred from Netcool/OMNIbus to Operations Analytics - Log Analysis by the IBM Tivoli Netcool/OMNIbus Gateway for Message Bus (nco_g_xml). For more information about the Gateway for Message Bus, see https://www.ibm.com/docs/en/SSSHTQ/omnibus/gateways/xmlintegration/wip/concept/xmlgw_intro.htmlexternal link.

Content of the Insight Pack

The Insight Pack provides the following data ingestion artifacts:
  • A Rule Set (with annotator and splitter) that parses Netcool/OMNIbus event data into Delimiter Separated Value (DSV) format.
  • A Source Type that matches the event fields in the Gateway for Message Bus map file.
  • A Collection that contains the provided Source Type.
  • Custom apps, which are described in Table 1.
  • A wizard to help you analyze and reduce event volumes, which is described in Event reduction wizard. The wizard also contains custom apps, which are described in Table 2.
Tip: The data that is shown by the custom apps originates in the alerts.status table of the Netcool/OMNIbus ObjectServer. For example, the Node identifies the entities from which events originate, such as hosts or device names. For more information about the columns of the alerts.status table, see IBM Documentation at https://www.ibm.com/docs/en/SSSHTQ_8.1.0/omnibus/wip/common/reference/omn_ref_tab_alertsstatus.htmlexternal link.

Custom apps

The following table describes the custom apps. The apps are all launched from the Operations Analytics - Log Analysis UI. Some apps can also be launched from event lists in the Netcool/OMNIbus WebGUI, that is, the Event Viewer or Active Event List (AEL). The configuration for launching the tools from the WebGUI is not included in this Insight Pack. To obtain this configuration, install the latest fix pack of the WebGUI 8.1.

Table 1. Custom apps in the Netcool/OMNIbus Insight Pack
Name and file name of app Can also be launched from WebGUI event list Description
OMNIbus Static Dashboard

OMNIbus_Static_Dashboard.app

Yes Opens a dashboard with charts that show the following event distribution information:
  • Event Trend by Severity
  • Event Storm by AlertGroup
  • Event Storm by Node
  • Hotspot by Node and AlertGroup
  • Severity Distribution
  • Top 5 AlertGroups Distribution
  • Top 5 Nodes Distribution
  • Hotspot by AlertGroup and Severity

The app searches against the specified data source, a time filter specified by the operator when they launch the tool, and the Node of the selected events. The app then generates charts based on the events returned by the search.

Charts supplied by the Tivoli Netcool/OMNIbus Insight Pack have changed in 1.3.0.2. The charts now specify a filter of NOT PubType:U which ensures that each event is counted once only, even if deduplications occur. The exception is the keyword search custom app which searches all events, including modified ones.

In the Operations Analytics - Log Analysis UI, the app requires data from a search result before it can run. If you do not run search before you run the apps, an error is displayed.
  1. To run a new search, click Add search and specify the string that you want to search for.
  2. A list of corresponding events is displayed in the search results.
  3. In the panel, click Search Dashboards > OMNIbusInsightPack and double-click Static Event Dashboard.
OMNIbus Keyword Search

OMNIbus_Keyword_Search.app

Yes

Uses information from the selected events to generate a keyword list with count, data source filter, and time filter in Operations Analytics - Log Analysis.

The app generates the keyword list from the specified columns of the selected events. The default columns are Summary, Node, and AlertGroup. The app then creates the data source filter with the value specified by the event list tool and creates the time filter with the value that was selected when the tool was launched.

In the Operations Analytics - Log Analysis UI, the app requires data from a search result before it can run. If you do not run search before you run the apps, an error is displayed.
  1. To run a new search, click Add search and specify the string that you want to search for.
  2. A list of corresponding events is displayed in the search results. Switch to the grid view and select the required entries. Click a column header to select the entire column.
  3. In the left panel, click Search Dashboards > OMNIbusInsightPack and double-click Keyword Search.
In the Search Patterns section, a list of keywords from the selected data is displayed. The event count associated with those keywords is in parentheses ().
OMNIbus Dynamic Dashboard

OMNIbus_Dynamic_Dashboard.app

No

Searches the events in the omnibus data source over the last day and generates a dashboard with eight charts. The charts are similar to the charts generated by the OMNIbus Static Dashboard app but they also support drill down. You can double-click any data point in the chart to open a search workspace that is scoped to the event records that make up that data point.

To open the dashboard in the Operations Analytics - Log Analysis user interface, click Search Dashboards > OMNIbusInsightPack > Last_Day > Dynamic Event Dashboard. This dashboard is not integrated with the event lists in the WebGUI.

OMNIbus_Operational_Efficiency

OMNIbus_Operational_Efficiency.app

No

Searches the events from the omnibus data source over the last month and generates a dashboard with the following charts.

  • Last Month - Top 10 AlertKeys: Shows the AlertKeys that generated the most events, distributed by severity.
  • Last Month - Top 10 AlertGroups: Shows the AlertGroups that generated the most events, distributed by severity.
  • Last Month - Top 10 Node: Shows the Nodes that generated the most events, distributed by severity.
  • Last Month - Hotspot by Node, Group, AlertKey: Combines the three other charts to show the Nodes, AlertGroups, and AlertKeys that generated the most events in a tree map.

To open the dashboard in the Operations Analytics - Log Analysis user interface, click Search Dashboards > OMNIbusInsightPack > Last_Month > Operational Efficiency. This dashboard is not integrated with the event lists in the WebGUI.

Event reduction wizard

The Event_Analysis_And_Reduction app is a guide to analyzing events in your environment and reducing event volumes. It consists of three sets of information and seven custom apps. The information is designed to help you understand the origin of high event volumes in your environment and create an action plan to reduce volumes. The information is in the first three nodes of the Event_Analysis_And_Reduction node on the UI: OMNIbus_Analyze_and_reduce_event_volumes, OMNIbus_Helpful_links, and OMNIbus_Introduction_to_the_Apps. The seven custom apps analyze the origins of the high event volumes in your environment. They are described in the following table. For the best results, run the apps in the order that is given here. The wizard and the app that it contains can be run only from the Operations Analytics - Log Analysis UI.
Table 2. Custom apps in the Event_Analysis_And_Reduction wizard
Name and file name of app Description
OMNIbus_Show_Event_1_Trend_Severity

OMNIbus_Show_Event_1_Trend_Severity.app

Shows charts with five common dimensions for analyzing trends in event volumes over time:
  • Event trends by severity for the past hour, aggregated by minute.
  • Event trends by severity for the past day, aggregated by hour.
  • Event trends by severity for the past week, aggregated by day.
  • Event trends by severity for the past month, aggregated by week.
  • Event trends by severity for the past year, aggregated by month.
OMNIbus_Show_Event_2_HotSpots_Node

OMNIbus_Show_Events_2_HotSpots_Node.app

Analyzes events by node, that is, the entities from which events originate. Examples include the source end point system, EMS or NMS, probe or gateway, and so on. You can modify this app to analyze the manager field, so that it shows the top event volumes by source system or integration. The app has the following charts:
  • The 20 nodes with the highest event counts over the past hour.
  • The 20 nodes with the highest event counts over the past day.
  • The 20 nodes with the highest event counts over the past week.
  • The 20 nodes with the highest event counts over the past month.
  • The 20 nodes with the highest event counts over the past year.
OMNIbus_Show_Event_3_HotSpots_AlertGroup

OMNIbus_Show_Events_3_HotSpots_AlertGroup.app

Analyzes the origin of events by the classification that is captured in the AlertGroup field, for example, the type of monitoring agent, or situation. The app has the following charts:
  • The 20 AlertGroups with the highest event counts over the past hour.
  • The 20 AlertGroups with the highest event counts over the past day.
  • The 20 AlertGroups with the highest event counts over the past week.
  • The 20 AlertGroups with the highest event counts over the past month.
  • The 20 AlertGroups with the highest event counts over the past year.
OMNIbus_Show_Event_4_HotSpots_AlertKey

OMNIbus_Show_Event_4_HotSpots_AlertKey.app

Analyzes the origin of events by the classification that is captured in the AlertKey field, for example, the type of monitoring agent or situation. The app has the following charts:
  • The 20 AlertKeys with the highest event counts over the past hour.
  • The 20 AlertKeys with the highest event counts over the past week.
  • The 20 AlertKeys with the highest event counts over the past month.
  • The 20 AlertKeys with the highest event counts over the past year.
OMNIbus_Show_Event_5_HotSpots_Node Severity

OMNIbus_Show_Event_5_HotSpots_NodeSeverity.app

Shows the nodes with the highest event counts by event severity. The app has the following charts:
  • The 10 nodes with the highest event counts by event severity over the past hour.
  • The 10 nodes with the highest event counts by event severity over the past day.
  • The 10 nodes with the highest event counts by event severity over the past week.
  • The 10 nodes with the highest event counts by event severity over the past month.
  • The 10 nodes with the highest event counts by event severity over the past year.
OMNIbus_Show_Event_6_HotSpots_NodeAlertGroup

OMNIbus_Show_Event_6_HotSpots_NodeAlertGroup.app

Shows the nodes with the highest event counts by the classification in the AlertGroup field, for example, the type of monitoring agent or situation. The app has the following charts:
  • The 10 nodes with the highest event counts from the top 5 AlertGroups over the past hour.
  • 10 nodes with the highest event counts from the top 5 AlertGroups over the past day.
  • The 10 nodes with the highest event counts from the top 5 AlertGroups over the past week.
  • The 10 nodes with the highest event counts from the top 5 AlertGroups over the past month.
  • The 10 nodes with the highest event counts from the top 5 AlertGroups over the past year.
OMNIbus_Show_Event_7_HotSpots_NodeAlertKey

OMNIbus_Show_Event_7_HotSpots_NodeAlertKey.

app

Shows the nodes with the highest event counts by the classification in the AlertKey field, for example, the monitoring agent or situation. The app has the following charts:
  • 10 nodes with the highest event counts from the top 5 AlertKeys over the past hour.
  • 10 nodes with the highest event counts from the top 5 AlertKeys over the past day.
  • 10 nodes with the highest event counts from the top 5 AlertKeys over the past week.
  • 10 nodes with the highest event counts from the top 5 AlertKeys over the past month.
  • 10 nodes with the highest event counts from the top 5 AlertKeys over the past year.

By default the custom apps include all events. To exclude certain events, for example, events that occur during maintenance windows, customise the search query used in the custom apps. For more information, see Customizing the Apps.