This chapter describes how to view and interact with the Event Insights page (Events > Event Insights).
Use the following menu options to navigate the SL1 user interface:
- To view a pop-out list of menu options, click the menu icon (
). - To view a page containing all of the menu options, click the Advanced menu icon (
).
How SL1 Provides Event Insights Data
The Event Insights page provides a global view of the alerts generated by SL1, the events created as the result of specific alert conditions, and the number of events that are currently active. You can use this page to track the source of your events and monitor the noise reduction that SL1 is providing for you.
Noise reduction is the percentage of alerts that did not become events in SL1. A mature, tuned SL1 system will have a high noise reduction percentage, as SL1 is sharing only the events that matter to your environment.
Comparing alerts and events in SL1:
- An alert is defined by a formula that SL1 evaluates each time data is collected. If the formula evaluates to "true" while SL1 is collecting data on the devices in your environment, SL1 generates an alert.
- Events are messages that are triggered when a specific condition is met. For example, an event can signal if a server has gone down, if a device is exceeding CPU or disk-space thresholds, or if communication with a device has failed. Alternately, an event can simply display the status of a managed element.
- Not every alert will trigger an event. An alert must have an event policy in SL1 that defines the conditions for the event, and when an alert meets the conditions in the event policy, SL1 generates an event.
The Event Insightspage (Events > Event Insights) lets administrator users see how SL1SL1 evaluates alerts ("alarms") and reduces data noise. SL1 identifies noise as any extraneous data collected by a large system that provides little insight to the admin user. The Event Insightspage aims to sift and identify any of this extraneous data; thus, resulting in a more-valuable and refined event generation process. All of this fine-tuned data is viewable in the Overview tab of the Event Insights page.
You can edit the time range for the data displayed on this page. .
To apply a time range to your desired insights-data collection:
-
Click the drop-down at the top right of the page. The Time Selector page appears:
-
View your time range options to enter into the and fields.
-
You can manually enter the specific time range by typing in the and fields; or you can select one of the time ranges listed underneath the and headers.
-
If your time range requires a specific time of day for collection, select .
-
If your time range requires collection from a specific date up until current time, select . If working within a selected time range previous to current date, leave the checkbox unmarked.
-
Click to update the page to your selected time range's data.
Elements of the Event Insights Page
The two widgets displayed on the tab of the Event Insights page include:
- Overview. Displays a device's alert andevent metrics in number and line-chart form.
- Event Lifecycle. Provides a visual Sankey chart containing datametrics for source alerts and their event life-cycle's results.
The Overview widget includes data metrics based on your organizational alignment for the following:
- Alerts. Displays the total number of alerts generated from the formula inSL1.
- New Events Records. Provides two metrics for new events created. The two metrics are:
- Total new events created. Specifies the total number of actual new events created.
- Noise Reduction. Displays the percentage of alerts that did not become new events. A mature, tuned system will show a higher Noise Reduction percentage.
- Average Active Events. Displays the average number of active events.
NOTE: Not every alert will trigger an event, and some alerts could trigger more than one event record.
The Event Lifecycle widget provides a visual Sankey chart for Event Lifecycle metrics.
The first column of this chart depicts the total number of alerts generated by your system; the blocks displayed are broken into the following source alerts:
- API. Message is generated by inserting a message into the main database. These messages can be inserted by a snippet automation action, a snippet Dynamic Application, or by a request to the ScienceLogic API.
- Dynamic Application. Message is generated by a Dynamic Application alert. Dynamic Applications are customizable policies that tell SL1 how to monitor applications and devices. You can define alerts in Dynamic Applications. An alert can trigger events based on the data collected by the Dynamic Application. Alerts allow you to examine and manipulate values retrieved by Dynamic Applications. When an alert evaluates to TRUE, the alert inserts a message in the associated device's device log. SL1 examines each new message in the device log and determines if the message matches an event definition. If the message matches an event definition, SL1 generates an instance of that event. For example, an alert might be defined to evaluate to TRUE if the temperature of a chassis exceeds 100 degrees Fahrenheit. If the chassis temperature exceeds 100 degrees at some point in the future, SL1 inserts a message in the associated device's log files. SL1 then matches that message with an existing event, and then triggers the event.
- Internal. Internal Collections, such as Availability, Latency, Network Interface Collection, Monitors, and more, manifest "internal" alerts that result in events aligned against devices.
- SNMP Trap. Message is generated by an SNMP trap. SNMP traps can be sent by devices and proxy devices like MoMs. An SNMP trap is an unsolicited message from a device to SL1. A trap indicates that an emergency condition or a condition that merits immediate attention has occurred on the device.
- Syslog. Message is generated by the syslog protocol. Syslogs can be sent by devices and proxy devices such as managers of managers (MoM). A syslog is an unsolicited message from a device to SL1. Syslog is a standard log format supported by most networking and UNIX-based devices and applications. Windows log files can be converted to syslog format using conversion tools.
- Email. Message is generated by an email message sent to SL1.
The second column of this chart depicts data-blocks revealing the next step in the Event Lifecycle:
- New Event Record. Total number of actual new events created.
- Deduplication. Total number of event occurrences, on the active event record, that appeared multiple times on the same device. Since SL1 does not create new records for each occurrence (unless specified to do so), it updates the existing active event record, along with an incrementing count, to show an updated number of occurrences.
- No Event Created. Total number of events that were not created from the alerts.
NOTE: If a type of source alert does not show up in the Event Lifecycle widget, it means that specific source alert wasn't available to pull from the device.
Interacting with the Event Insights Widgets
From the Event Insights page (Events > Event Insights), you can interact with the various widgets for datametrics by selecting line-chart data points and hovering over the Sankey chart information.
To view the Overview widget's line-chart data points:
- Go to Event Insights page (Events > Event Insights).
- Select a data point along either of the linecharts associated with your desired Overview widget.
The following data point pop-up appears and displays a specific time stamp and its number of alerts:
To view specific Event Lifecycle widget's bar-chart information:
- Go to Event Insights page (Events > Event Insights).
- Hover your mouse over a desired Sankey chart metric in the Event Lifecycle widget.
The following chart metric pop-up appears and displays a Series stamp and its specific count:
NOTE: The height of a chart's nodes reflects higher volumes of the metric. The thickness of the connectors shows you what is happening to the majority of the data, such as deduplication, event created, and so on.