To understand why these events were grouped together, click the option to show group details. This option displays the underlying temporal, topological, and scope-based groups that were brought together to form this event group.
Procedure
-
Open an event group as described in the related link at the end of this topic.
- Click Correlation information
. The Grouping
side panel opens in the table. This panel shows why the events in the group are related, by showing
the different subgroups that make up the event group. The panel contains three columns, as
follows:
-
Temporal group
column
- Based on event history, the events in this column that are marked with a large dot tend to occur
within a short time of each other.
Note: Dots in this column that are marked with the same letter
correspond to events that are part of the same historical temporal group. Dots that are not marked
with a letter correspond to events that were brought into the event group by the temporal pattern
analytics algorithm based on common patterns of behavior, and not based on historical
occurrences.
-
Scope-based group column
- The events in this column display scope-based groups, but can also display related event
patterns and groups from your on-premises Event Analytics.
- Scope-based groups
-
The events that are marked with a large dot occur within a
configurable time window on an administrator defined scope, such as a location, service, or
resource. If a single scope identifier contributed to this grouping, then the group identifier is
made up of the first three letters of the scope column used to generate the group.
- Related event patterns and groups from your on-premises Event Analytics
- If your Netcool software is running on a hybrid system made up of both Cloud and on-premises
components, and if on-premises Event Analytics is installed as part of your on-premises
installation, then this column can also display related event patterns and groups from your
on-premises Event Analytics. In this case, the group identifier shows the first three letters of the
Event Analytics configuration used to generate the related event pattern or group.
For more
information, see Connecting on-premises Event Analytics.
Note: If multiple scope identifiers contributed to this grouping, or of any combination of
scope identifiers and related event patterns and groups from your on-premises Event Analytics
contributed to this grouping, then the group identifier is displayed as an ellipsis (three dots).
When you drill into the group you will be able to see the details of the elements that contributed
to this grouping.
-
Topological group
column
- The events in this column that are marked with a large dot occur on
resources within a predefined section of your network topology.
These sub-groups are joined together to form an event group if the same event occurs in two or
more sub-groups. In this way multiple sub-groups can be joined together.
- Click a dot to see more details on any of these sub-groups.
Click a link for information on one of these columns:
-
Temporal
group column
- Clicking a dot in this column opens the sidebar, with the Temporal
correlation section open. This section contains the following information, to help you
assess the validity of the group.
- Group details or Pattern Details
- The title of this tab might be either Group details or Pattern
details.
- Group details: the tab has this title if the group is purely based on
historical co-occurrence of events.
- Pattern details the tab has this title if the temporal
pattern analytics algorithm has identified patterns of behavior among temporal groups, which are
similar, but occur on different resources.
For more information on temporal groups and temporal patterns, see the related link at the end
of this topic.
- Group details
- This tab displays details about the selected temporal group.
- First group instance
- Date and time of first instance of this group.
- Total group instances
- Total number of historical instances of this group. For details of when these instances occurred
and how many events occurred in each instance, see the Group instance heatmap.
- Average instance duration
- Average time in seconds that this group instance lasted.
- Group instance heatmap
- Time-based heatmap showing recent historical period in months with a grey square for each day.
Each darker square indicates a day on which there was at least one group instance. Hover over the
square to see details of this group instance.
- Pattern details
- This tab displays details about the temporal pattern associated with the selected group. This
tab only appears if the temporal
pattern analytics algorithm has identified patterns of behavior among temporal groups, which are
similar, but occur on different resources.
- Total pattern instances
- Total number of instances of this pattern across two or more temporal groups. For details of
when these instances occurred, see the Pattern instance heatmap.
- Average instance duration
- Average time in seconds that this pattern instance lasted.
- Matched resource attributes
- Resources on which this pattern has been identified.
- Pattern instance heatmap
- Time-based heatmap showing:
- In gray, the days when the temporal pattern occurred on the resource associated with the events
currently selected in the events table.
- In blue, the days when the temporal pattern occurred on other resources.
- Policy details
- To view the policy details for temporal groups, click the temporal grouping icon (dot icon) in the
Temporal group column to open
the sidebar, with the Temporal correlation section open. In the
Temporal correlation section, click the More
information link to open the Policy details page, with the name of the policy displayed
on the page. On the Policy details page, you can configure the analytics policy that generated this
group using the following controls. Any changes that you make here are visible to the administrator
in the Policies GUI. For more
information about the Policies GUI,
see the related link at the end of this topic.
Note: For Alerts grouped by Temporal Patterns
policies, the More information link is unavailable.
- Status
- By default the policy is enabled, which means that the policy will continue to group together
incoming events. Click the toggle to disable the policy. Disabled policies don't act on incoming
events. However, as opposed to rejected policies, disabled policies remain in your administrator's
main policy table and can be enabled at the click of a switch.
- Lock policy?
-
Locked policies continue to act on incoming events. However, the analytics algorithm cannot update a locked policy.
CAUTION:
Once a policy has been locked it cannot be unlocked, even by an administrator. The unlock action on a policy will mark it as unlocked in this GUI, and in the Policies GUI, but the policy continues to be locked.
- Comment
- Add a comment on this policy. Your administrator will be able to see the comment in the
Policies GUI
If you have sufficient permissions, then you also see the following options.
-
Reject policy
- If you don't believe that the events in this temporal group or pattern belong together, then you
can reject the associated analytics policy. Archived policies don't act on incoming events.
- More information
- Click this link to display the Temporal Details panel, where you can access
more details on the historical instances of this group. For more details, see Temporal Details panel.
-
Scope-based group
column
- Clicking a dot in this column opens the sidebar, with the Scope-based
correlation section open. Depending on the group identifier next to the associated with
this column, the information in this section varies.
Group identifier |
Content |
Ellipsis (three dots) |
A drop-down list showing all of the scope identifiers and/or related event patterns and
groups from your on-premises Event Analytics system that contributed to this scope-based group.
Select one of the items from the drop-down list and see one of the following sections for more
information. |
Scope identifier |
See Scope-based groups. |
Related event pattern or group from your on-premises Event Analytics system |
See Related event pattern or group from your on-premises Event Analytics. |
-
- Scope based groups
-
- Scope identifier
- Name of the column that contains the scope value.
- Scope
- Displays the value of the scope parameter
ScopeID
used to group these events
together. This is typically a location, service or resource value.
- Number of events in group
- Number of events in the scope-based group; that is, the number of events that have occurred
within a defined time window on the location, service or resource value in the
Scope field.
- Group duration
- Duration of the scope-based group.
- Event table
- Lists the events that make up this scope-based event
group.
- Related event pattern or group from your on-premises Event
Analytics
-
- Scope identifier
- Name of the column that contains the scope value. The column name indicates whether this
grouping is based on an Event Analytics related event pattern or group.
- CEAImpactPatternScopeId: Indicates that this grouping is based on an
Event Analytics related event pattern.
- CEAImpactREGroupScopeId: Indicates that this grouping is based on an
Event Analytics related event group.
- Scope
- Displays the value of the Event Analytics related event pattern or group used to group these
events together. This scope value takes one of the following forms depending on whether the grouping
is based on an Event Analytics related event pattern or group.:
- Based on a pattern
- The scope value takes the following
form.
Event-analytics-configuration-name_SuggestionX_Data
Where:
Event-analytics-configuration-name
is the name of the Event
Analytics configuration on which the related event pattern is based.
X
is the number of the suggested pattern generated by the
associated event pattern within Event Analytics.
Data
is a set of data that helps to identify the
pattern.
- Based on a group
- The scope value takes the following form.
Event-analytics-configuration-name:X:Data
Where:
Event-analytics-configuration-name
is the name of the Event
Analytics configuration on which the related event pattern is based.
X
is a single digit value that helps to identify the related
events group.
Data
is a multiple digit value that helps to identify the
related events group.
- Number of events in group
- Number of events in this event grouping.
- Group duration
- Duration of this event grouping.
- Event table
- Lists the events that make up this event grouping.
-
Topological group column
- Clicking a dot in this column opens the sidebar, with the Topology
correlation section open. This section contains the following information:
- Topology group name
- Name of the topology defined in the topology management service, on which this
topology group is based. For more information on how topological groups are defined based on defined
topologies, see the related link at the end of this topic.
- Topology
- Pane showing the resources in the topology on which this topology group is based. You can
perform the following actions on the topology.
Table 1. Actions on the
topology
Item |
Action |
Result |
Resource |
Hover over |
Highlights the event(s) on that resource in the events table. |
Click |
Displays the relationships between that resource and neighboring resources. The relationships
are displayed in text on the lines connecting the resources. Examples of relationships include:
runsOn , members , exposes . |
Right-click |
Displays the following options:
- Resource details
- Lists property values for this resource.
- Comments
- Provide a comment on this resource here.
|
Connection (lines connecting the resources) |
Right-click |
Displays the following options:
- Relationship details
- Lists property values for this relationship.
|