Using event groups to filter events

Event groups are sets of events that meet certain conditions. These conditions act as filters on events. You can use event groups only after they are defined. Only Solution Administrators and Tenant Administrators can create, modify, and delete event groups. Several out-of-the-box event groups are included with the TrueSight console that enable you to process events quickly.

This topic covers the following information:

Related topics

Creating event groups

Creating dynamic event groups

Getting started with event groups

Out-of-the-box event groups

Custom filters versus event groups

Filtering events in the TrueSight console

Monitoring and managing events from the TrueSight console

Other filtering options

Using custom filters to filter events

Using quick filters to filter events

Using time filters to filter events

Global search

To understand fields and options on the Event Groups page

The following figure highlights the various fields and options that are available on the Event Groups page.

#	Field	Description
	Main action menu	Displays the following options: Create Event Group: Event groups are sets of events that meet certain criteria or conditions. These conditions act as filters on events. You can create an event group only if you are logged in as a Solution Administrator or a Tenant Administrator. Create Dynamic Event Group: Dynamic event groups are set of events that are created dynamically based on event slot that you specify. The event groups are created based on the unique values of the selected event slot. You can also provide certain criteria or conditions. These conditions act as filters on events. You can create a dynamic event group only if you are logged in as a Solution Administrator or a Tenant Administrator. Manage Event Groups: The Manage Event Groups page is displayed. The Manage Event Groups page displays all event groups in the hierarchical order. Show All Event Groups: Any applied filters are cleared and you can view all the event groups that you have access to. The count of total event groups is displayed next to the title of the page as shown: Restore Default Settings: All the modified settings are removed and the page is reset to the following default settings: Quick filters: Critical, Major, Minor, Warning Sorting: Sort by Severity Set as Landing Page: The Event Groups page is displayed by default every time you log in to the TrueSight console. Save as Preference: You can make the current page settings your default settings. Every time you log on to the TrueSight console and navigate to the Event Groups page, the settings that you last used are displayed. If you do not use this feature, the page displays the default settings.
	Quick severity filter	Displays color-coded severity levels as separate buttons. Each button displays the total count of event groups that include at least one event that matches the severity level.
	View action menu	Displays the Tile View and Table View options. You can toggle between the two views. The Table View option displays the event group hierarchy and shows the parent-child relationships between the event groups. The dynamic event group is marked with a star and includes the dynamic event group definition name in a bracket. The Tile View option displays the event groups as an independent element or tile. The dynamic event groups are marked with a star on the header. The tooltip includes the dynamic event group definition name in a bracket.
	Sort by action menu	Displays the Sort By Severity, Sort By Name (Ascending), and Sort By Name (Descending) options. You can change the order of the event groups by sorting them based on the descending order of the severity of events. You can also sort the event groups based on their names in either ascending or descending order. By default, event groups are sorted by Severity. If the event severity in two event groups is the same, they are sorted based on the ascending order of their names.
	Event group tile header	Displays the name of the event group. The dynamic event groups are marked with a star on the header. The color of the header indicates the highest severity of the open events from the event group. For example, if the header of an event group is in Red color, at least one of the open events is in critical severity.
	Event count	Displays the count of open events and total events in the event group. When you click the Open Events or Total Events count, the Events page that shows the open events or total events of that event group is displayed. If you do not have access to an event group, the counts for that event group are not clickable and displayed in gray color. You can use the View preferences option to define which events are open. For more information, see Customizing the display of event groups. The total events count includes events with Open, Acknowledged, Assigned, and Blackout status. Events with Closed status are not included in the Total Events count.
	Event group search	Enables you to find event groups by performing a search on their names. The search is not case sensitive and is performed on all event groups, irrespective of any severity filter that you might have applied. To search, click the search icon and enter the search text. Click the search icon again or press Enter.
	Refresh page	Enables you to manually refresh the page. You can customize the page settings to automatically refresh the page every one to ten minutes.
	Collapse or expand quick filters or preferences	Enables you to collapse or expand the quick filters area to give you more display area for event groups. You can toggle between displaying and hiding the quick filters area using this option.
	View preferences	Enables you to customize the page. For more information, see Customizing the display of event groups.
	View help	Launches context-sensitive help. The online version of the documentation is displayed. For working offline, you can download an Adobe Acrobat PDF of this documentation from PDFs and Videos.

To view event group details

In the Tile view, click the event group tile header or in the Table view, click the event group name.

The Event Group Details page is displayed that shows the information about the event group.

To view event group hierarchy

To see the parent-child relationships of all the event groups, you must view the event groups in the Table view. The selected view name is displayed next to the View action menu . By default, event groups are displayed in Tile view in which an event group is displayed as a separate, independent tile.

To change the view, use the View action menu . The following figure shows an example of event group hierarchy:

To manage events from an event group

Click the count of open events or total events for the event group as shown.

In Table view:

The Events page is displayed that shows events from the selected event group. You can now work on this filtered list of events by performing tasks such as review the event summary, filter the events, perform remote actions, and so on. For more information, see Monitoring and managing events from the TrueSight console.

To view event groups by severity

You can sort or filter event groups based on the severity of the events that belong to that group. The severity is indicated by different colors and icons.

To sort event groups by severity: In the Sort by action menu , select Sort By Severity to view the event group with Critical events first followed by those with descending order of severity.

To filter event groups based on severity: In the quick severity filter , click a severity button to view or hide event groups of that severity. For example, if you click only the Critical severity button, event groups that have at least one critical event in open state are displayed and the other event groups are filtered out.

You can select more than one severity button.

To display specific event groups

You can filter out event groups and view only specific event groups. To do so, use the quick severity filterand event group search features.

Where to go from here

After you use the event groups filter, you can perform any of the following procedures on the filtered set of events: