Displaying analytics details for an event group

To understand why these events were grouped together, click the option to show group details. This option displays the underlying temporal, topological, and scope-based groups that were brought together to form this event group.

Procedure

  1. Open an event group as described in the related link at the end of this topic.
  2. Click Correlation information Correlation information icon. The Grouping side panel opens in the table. This panel shows why the events in the group are related, by showing the different subgroups that make up the event group. The panel contains three columns, as follows:
    Temporal group icon Temporal group column
    Based on event history, the events in this column that are marked with a large dot Big dot icon tend to occur within a short time of each other.
    Note: Dots in this column that are marked with the same letter correspond to events that are part of the same historical temporal group. Dots that are not marked with a letter correspond to events that were brought into the event group by the temporal pattern analytics algorithm based on common patterns of behavior, and not based on historical occurrences.
    Scope-based group icon Scope-based group column
    The events in this column display scope-based groups, but can also display related event patterns and groups from your on-premises Event Analytics.
    Scope-based groups

    The events that are marked with a large dot Big dot icon occur within a configurable time window on an administrator defined scope, such as a location, service, or resource. If a single scope identifier contributed to this grouping, then the group identifier is made up of the first three letters of the scope column used to generate the group.

    Related event patterns and groups from your on-premises Event Analytics
    If your Netcool software is running on a hybrid system made up of both Cloud and on-premises components, and if on-premises Event Analytics is installed as part of your on-premises installation, then this column can also display related event patterns and groups from your on-premises Event Analytics. In this case, the group identifier shows the first three letters of the Event Analytics configuration used to generate the related event pattern or group.

    For more information, see Connecting on-premises Event Analytics.

    Note: If multiple scope identifiers contributed to this grouping, or of any combination of scope identifiers and related event patterns and groups from your on-premises Event Analytics contributed to this grouping, then the group identifier is displayed as an ellipsis (three dots). When you drill into the group you will be able to see the details of the elements that contributed to this grouping.
    Topological group icon Topological group column
    The events in this column that are marked with a large dot Big dot icon occur on resources within a predefined section of your network topology.
    These sub-groups are joined together to form an event group if the same event occurs in two or more sub-groups. In this way multiple sub-groups can be joined together.
  3. Click a dot Big dot icon to see more details on any of these sub-groups.
    Click a link for information on one of these columns:
    Temporal group icon Temporal group column
    Clicking a dot Big dot icon in this column opens the sidebar, with the Temporal correlation section open. This section contains the following information, to help you assess the validity of the group.
    Group details or Pattern Details
    The title of this tab might be either Group details or Pattern details.
    • Group details: the tab has this title if the group is purely based on historical co-occurrence of events.
    • Pattern details the tab has this title if the temporal pattern analytics algorithm has identified patterns of behavior among temporal groups, which are similar, but occur on different resources.
    For more information on temporal groups and temporal patterns, see the related link at the end of this topic.
    Group details
    This tab displays details about the selected temporal group.
    First group instance
    Date and time of first instance of this group.
    Total group instances
    Total number of historical instances of this group. For details of when these instances occurred and how many events occurred in each instance, see the Group instance heatmap.
    Average instance duration
    Average time in seconds that this group instance lasted.
    Group instance heatmap
    Time-based heatmap showing recent historical period in months with a grey square for each day. Each darker square indicates a day on which there was at least one group instance. Hover over the square to see details of this group instance.
    Pattern details
    This tab displays details about the temporal pattern associated with the selected group. This tab only appears if the temporal pattern analytics algorithm has identified patterns of behavior among temporal groups, which are similar, but occur on different resources.
    Total pattern instances
    Total number of instances of this pattern across two or more temporal groups. For details of when these instances occurred, see the Pattern instance heatmap.
    Average instance duration
    Average time in seconds that this pattern instance lasted.
    Matched resource attributes
    Resources on which this pattern has been identified.
    Pattern instance heatmap
    Time-based heatmap showing:
    • In gray, the days when the temporal pattern occurred on the resource associated with the events currently selected in the events table.
    • In blue, the days when the temporal pattern occurred on other resources.
    Policy details
    To view the policy details for temporal groups, click the temporal grouping icon Big dot icon (dot icon) in the Temporal group icon Temporal group column to open the sidebar, with the Temporal correlation section open. In the Temporal correlation section, click the More information link to open the Policy details page, with the name of the policy displayed on the page. On the Policy details page, you can configure the analytics policy that generated this group using the following controls. Any changes that you make here are visible to the administrator in the Policies GUI. For more information about the Policies GUI, see the related link at the end of this topic.
    Note: For Alerts grouped by Temporal Patterns policies, the More information link is unavailable.
    Status
    By default the policy is enabled, which means that the policy will continue to group together incoming events. Click the toggle to disable the policy. Disabled policies don't act on incoming events. However, as opposed to rejected policies, disabled policies remain in your administrator's main policy table and can be enabled at the click of a switch.
    Lock policy?

    Locked policies continue to act on incoming events. However, the analytics algorithm cannot update a locked policy.

    CAUTION:
    Once a policy has been locked it cannot be unlocked, even by an administrator. The unlock action on a policy will mark it as unlocked in this GUI, and in the Policies GUI, but the policy continues to be locked.
    Comment
    Add a comment on this policy. Your administrator will be able to see the comment in the Policies GUI
    If you have sufficient permissions, then you also see the following options.
    Red delete icon Reject policy
    If you don't believe that the events in this temporal group or pattern belong together, then you can reject the associated analytics policy. Archived policies don't act on incoming events.
    More information
    Click this link to display the Temporal Details panel, where you can access more details on the historical instances of this group. For more details, see Temporal Details panel.
    Scope-based group icon Scope-based group column
    Clicking a dot Big dot icon in this column opens the sidebar, with the Scope-based correlation section open. Depending on the group identifier next to the associated with this column, the information in this section varies.
    Group identifier Content
    Ellipsis (three dots) A drop-down list showing all of the scope identifiers and/or related event patterns and groups from your on-premises Event Analytics system that contributed to this scope-based group. Select one of the items from the drop-down list and see one of the following sections for more information.
    Scope identifier See Scope-based groups.
    Related event pattern or group from your on-premises Event Analytics system See Related event pattern or group from your on-premises Event Analytics.
    Scope based groups
    Scope identifier
    Name of the column that contains the scope value.
    Scope
    Displays the value of the scope parameter ScopeID used to group these events together. This is typically a location, service or resource value.
    Number of events in group
    Number of events in the scope-based group; that is, the number of events that have occurred within a defined time window on the location, service or resource value in the Scope field.
    Group duration
    Duration of the scope-based group.
    Event table
    Lists the events that make up this scope-based event group.
    Scope identifier
    Name of the column that contains the scope value. The column name indicates whether this grouping is based on an Event Analytics related event pattern or group.
    • CEAImpactPatternScopeId: Indicates that this grouping is based on an Event Analytics related event pattern.
    • CEAImpactREGroupScopeId: Indicates that this grouping is based on an Event Analytics related event group.
    Scope
    Displays the value of the Event Analytics related event pattern or group used to group these events together. This scope value takes one of the following forms depending on whether the grouping is based on an Event Analytics related event pattern or group.:
    Based on a pattern
    The scope value takes the following form.
    Event-analytics-configuration-name_SuggestionX_Data
    Where:
    • Event-analytics-configuration-name is the name of the Event Analytics configuration on which the related event pattern is based.
    • X is the number of the suggested pattern generated by the associated event pattern within Event Analytics.
    • Data is a set of data that helps to identify the pattern.
    Based on a group
    The scope value takes the following form.
    Event-analytics-configuration-name:X:Data
    Where:
    • Event-analytics-configuration-name is the name of the Event Analytics configuration on which the related event pattern is based.
    • X is a single digit value that helps to identify the related events group.
    • Data is a multiple digit value that helps to identify the related events group.
    Number of events in group
    Number of events in this event grouping.
    Group duration
    Duration of this event grouping.
    Event table
    Lists the events that make up this event grouping.
    Topological group icon Topological group column
    Clicking a dot Big dot icon in this column opens the sidebar, with the Topology correlation section open. This section contains the following information:
    Topology group name
    Name of the topology defined in the topology management service, on which this topology group is based. For more information on how topological groups are defined based on defined topologies, see the related link at the end of this topic.
    Topology
    Pane showing the resources in the topology on which this topology group is based. You can perform the following actions on the topology.
    Table 1. Actions on the topology
    Item Action Result
    Resource Hover over Highlights the event(s) on that resource in the events table.
    Click Displays the relationships between that resource and neighboring resources. The relationships are displayed in text on the lines connecting the resources. Examples of relationships include: runsOn, members, exposes.
    Right-click Displays the following options:
    Resource details
    Lists property values for this resource.
    Comments
    Provide a comment on this resource here.
    Connection (lines connecting the resources) Right-click Displays the following options:
    Relationship details
    Lists property values for this relationship.

What to do next

The Temporal Details panel displays more details on the historical instances of a temporal group. The following information is displayed:
Toolbar
Search Search icon
Searches event data in all event group instances shown on this page.
Views System filter or view icon
Changes the event columns shown in the Overview timeline, the Event group instance timeline, and the Event group instance details sections of this page.
Filter Filter icon
Filters the events shown by severity and other column values.
Overview timeline
Displays event group instances over time and controls the display of event group instance data on the rest of the page. By default the time range sliders are open sufficiently to show data on all event group instances. Modify the time range by either clicking and dragging over the desired range inside the timeline, or by dragging the sliders to the desired range. The rest of the screen updates accordingly.
Event group instance timeline
Displays all of the events that have historically participated in instances of this temporal event group. The instance map provides a graphical view over time of when the various instances have occurred.
Event group instance details
Displays the following information for each event group instance:
Start date and time of event group instance
Indicates the first occurrence value of the first event in the event group instance.
Distribution of event severity values
Pie chart providing a visual indication of the event severity values. Hover over the pie chart for more details.
Sparkline
Chart of event occurrence over time.
Duration of event group instance
Duration of the event group instance, in text.
Down chevron icon Downward-pointing chevron icon
Click this the Down chevron icon Downward-pointing chevron icon to see an event table showing column details for each event in this group instance.