Displaying analytics details for an alert group

Edit online

To understand why these alerts were grouped together, click the option to show group details. This option displays the underlying temporal, topological, and scope-based groups that were brought together to form this alert group.

Procedure

Open an alert group as described in the related link at the end of this topic.
Click Correlation information . The Grouping side panel opens in the table. This panel shows why the alerts in the group are related, by showing the different subgroups that make up the alert group. The panel contains three columns, as follows:

Temporal group column

Based on event history, the alerts in this column that are marked with a large dot tend to occur within a short time of each other.
Note: Dots in this column that are marked with the same letter correspond to events that are part of the same historical temporal group. Dots that are not marked with a letter correspond to events that were brought into the alert group by the temporal pattern analytics algorithm based on common patterns of behavior, and not based on historical occurrences.

Scope-based group column

The alerts in this column display scope-based groups, but can also display related alert patterns and groups from your on-premises Event Analytics.

Scope-based groups

The alerts that are marked with a large dot occur within a configurable time window on an administrator defined scope, such as a location, service, or resource. If a single scope identifier contributed to this grouping, then the group identifier is made up of the first three letters of the scope column used to generate the group.

Related event patterns and groups from your on-premises Event Analytics

If your Netcool® software is running on a hybrid system made up of both Cloud and on-premises components, and if on-premises Event Analytics is installed as part of your on-premises installation, then this column can also display related event patterns and groups from your on-premises Event Analytics. In this case, the group identifier shows the first three letters of the Event Analytics configuration used to generate the related event pattern or group.
For more information, see Connecting on-premises Event Analytics.

Note: If multiple scope identifiers contributed to this grouping, or of any combination of scope identifiers and related event patterns and groups from your on-premises Event Analytics contributed to this grouping, then the group identifier is displayed as an ellipsis (three dots). When you drill into the group you will be able to see the details of the elements that contributed to this grouping.

Topological group column

The alerts in this column that are marked with a large dot occur on resources within a predefined section of your network topology.

These sub-groups are joined together to form an alert group if the same alert occurs in two or more sub-groups. In this way multiple sub-groups can be joined together.

Click a dot Big dot icon

to see more details on any of these sub-groups.

Click a link for information on one of these columns:

Temporal group column
Scope-based group column
Topological group column

Temporal group column

Clicking a dot Big dot icon

in this column opens the sidebar, with the Temporal correlation section open. This section contains the following information, to help you assess the validity of the group.

Group details or Pattern Details

The title of this tab might be either Group details or Pattern details.

Group details: the tab has this title if the group is purely based on historical co-occurrence of alerts.
Pattern details the tab has this title if the temporal pattern analytics algorithm has identified patterns of behavior among temporal groups, which are similar, but occur on different resources.

For more information on temporal groups and temporal patterns, see the related link at the end of this topic.

Group details

This tab displays details about the selected temporal group.

First group instance: Date and time of first instance of this group.
Total group instances: Total number of historical instances of this group. For details of when these instances occurred and how many events occurred in each instance, see the Group instance heatmap.
Average instance duration: Average time in seconds that this group instance lasted.
Group instance heatmap: Time-based heatmap showing recent historical period in months with a grey square for each day. Each darker square indicates a day on which there was at least one group instance. Hover over the square to see details of this group instance.

Pattern details

This tab displays details about the temporal pattern associated with the selected group. This tab only appears if the temporal pattern analytics algorithm has identified patterns of behavior among temporal groups, which are similar, but occur on different resources.

Total pattern instances

Total number of instances of this pattern across two or more temporal groups. For details of when these instances occurred, see the Pattern instance heatmap.

Average instance duration

Average time in seconds that this pattern instance lasted.

Matched resource attributes

Resources on which this pattern has been identified.

Pattern instance heatmap

Time-based heatmap showing:

In gray, the days when the temporal pattern occurred on the resource associated with the alerts currently selected in the alerts table.
In blue, the days when the temporal pattern occurred on other resources.

Policy details

To view the policy details for temporal groups, click the temporal grouping icon Big dot icon

(dot icon) in the Temporal group icon

Temporal group column to open the sidebar, with the Temporal correlation section open. In the Temporal correlation section, click the More information link to open the Policy details page, with the name of the policy displayed on the page. On the Policy details page, you can configure the analytics policy that generated this group using the following controls. Any changes that you make here are visible to the administrator in the Policies GUI. For more information about the Policies GUI, see the related link at the end of this topic.

Note: For Alerts grouped by Temporal Patterns policies, the More information link is unavailable.

Status: By default the policy is enabled, which means that the policy will continue to group together incoming alerts. Click the toggle to disable the policy. Disabled policies don't act on incoming alerts. However, as opposed to rejected policies, disabled policies remain in your administrator's main policy table and can be enabled at the click of a switch.
Lock policy?: Locked policies continue to act on incoming alerts. However, the analytics algorithm cannot update a locked policy.

CAUTION:
After a policy is locked it cannot be unlocked, even by an administrator. The unlock action on a policy marks it as unlocked in this GUI, and in the Policies GUI, but the policy continues to be locked.
Comment: Add a comment on this policy. Your administrator will be able to see the comment in the Policies GUI

If you have sufficient permissions, then you also see the following options.

Reject policy: If you don't believe that the alerts in this temporal group or pattern belong together, then you can reject the associated analytics policy. Archived policies don't act on incoming alerts.
More information: Click this link to display the Temporal Details window, where you can access more details on the historical instances of this group. For more details, see Temporal Details window.

Scope-based group column

Clicking a dot Big dot icon

in this column opens the sidebar, with the Scope-based correlation section open. Depending on the group identifier next to the associated with this column, the information in this section varies.

Group identifier	Content
Ellipsis (three dots)	A drop-down list showing all of the scope identifiers and/or related event patterns and groups from your on-premises Event Analytics system that contributed to this scope-based group. Select one of the items from the drop-down list and see one of the following sections for more information.
Scope identifier	See Scope-based groups.
Related event pattern or group from your on-premises Event Analytics system	See Related event pattern or group from your on-premises Event Analytics.

Scope based groups

Scope identifier: Name of the column that contains the scope value.
Scope: Displays the value of the scope parameter ScopeID used to group these alerts together. This is typically a location, service or resource value.
Number of alerts in group: Number of alerts in the scope-based group; that is, the number of alerts that have occurred within a defined time window on the location, service or resource value in the Scope field.
Group duration: Duration of the scope-based group.
Alert table: Lists the alerts that make up this scope-based alert group.

Related event pattern or group from your on-premises Event Analytics

Scope identifier

Name of the column that contains the scope value. The column name indicates whether this grouping is based on an Event Analytics related event pattern or group.

CEAImpactPatternScopeId: Indicates that this grouping is based on an Event Analytics related event pattern.
CEAImpactREGroupScopeId: Indicates that this grouping is based on an Event Analytics related event group.

Scope

Displays the value of the Event Analytics related event pattern or group used to group these events together. This scope value takes one of the following forms depending on whether the grouping is based on an Event Analytics related event pattern or group.:

Based on a pattern

The scope value takes the following form.

Event-analytics-configuration-name_SuggestionX_Data

Where:

Event-analytics-configuration-name is the name of the Event Analytics configuration on which the related event pattern is based.
X is the number of the suggested pattern generated by the associated event pattern within Event Analytics.
Data is a set of data that helps to identify the pattern.

Based on a group

The scope value takes the following form.

Event-analytics-configuration-name:X:Data

Where:

Event-analytics-configuration-name is the name of the Event Analytics configuration on which the related event pattern is based.
X is a single digit value that helps to identify the related events group.
Data is a multiple digit value that helps to identify the related events group.

Number of events in group

Number of events in this event grouping.

Group duration

Duration of this event grouping.

Event table

Lists the events that make up this event grouping.

Topological group column

Clicking a dot Big dot icon

in this column opens the sidebar, with the Topology correlation section open. This section contains the following information:

Topology group name

Name of the topology defined in the topology management service, on which this topology group is based. For more information on how topological groups are defined based on defined topologies, see the related link at the end of this topic.

Topology

Pane showing the resources in the topology on which this topology group is based. You can perform the following actions on the topology.

Table 1. Actions on the topology
Item	Action	Result
Resource	Hover over	Highlights the alert(s) on that resource in the alerts table.
	Click	Displays the relationships between that resource and neighboring resources. The relationships are displayed in text on the lines connecting the resources. Examples of relationships include: `runsOn`, `members`, `exposes`.
	Right-click	Displays the following options: Resource details Lists property values for this resource. Comments Provide a comment on this resource here.
Connection (lines connecting the resources)	Right-click	Displays the following options: Relationship details Lists property values for this relationship.

What to do next

The Temporal Details window displays more details on the historical instances of a temporal group. The following information is displayed:

Toolbar

Search: Searches alert data in all event group instances shown on this page.
Views: Changes the alert columns shown in the Overview timeline, the Event group instance timeline, and the Event group instance details sections of this page.
Filter: Filters the alerts shown by severity and other column values.

Overview timeline

Displays alert group instances over time and controls the display of alert group instance data on the rest of the page. By default the time range sliders are open sufficiently to show data on all alert group instances. Modify the time range by either clicking and dragging over the desired range inside the timeline, or by dragging the sliders to the desired range. The rest of the screen updates accordingly.

Alert group instance timeline

Displays all of the alerts that have historically participated in instances of this temporal alert group. The instance map provides a graphical view over time of when the various instances have occurred.

Alert group instance details

Displays the following information for each alert group instance:

Start date and time of event group instance: Indicates the first occurrence value of the first alert in the alert group instance.
Distribution of event severity values: Pie chart providing a visual indication of the alert severity values. Hover over the pie chart for more details.
Sparkline: Chart of alert occurrence over time.
Duration of event group instance: Duration of the alert group instance, in text.
Down chevron icon: Click this the Down chevron icon to see an alert table showing column details for each alert in this group instance.