Quick start

This topic describes an end-to-end approach to enable you to get started with the BMC TrueSight IT Data Analytics (or IT Data Analytics) product as a new user and start collecting data and using the product features.

Step 1: Download and install IT Data Analytics

For more information, see Installing.

Step 2: Locate and analyze the data

Locate and analyze the log file generated by the application that you want to index. For more information, see Managing data patterns.

Sample data

28 Apr 2014 10:58:28 [DEBUG] LoginService - [Thread=Server(77)] 10.20.30.40 
- Login request from user=Mike

28 Apr 2014 10:58:28 [DEBUG] LoginService - [Thread=Server(77)] 10.20.30.40 
- some other message user=Mike sessionid=1234

28 Apr 2014 10:58:28 [DEBUG] LoginService - [Thread=Server(77)] 10.20.30.40 
- sessionid=1234 add product=PenDrive to cart price=123

28 Apr 2014 10:58:28 [DEBUG] LoginService - [Thread=Server(77)] 10.20.30.40 
- sessionid=1234 add product=Phone to cart price=345

28 Apr 2014 10:58:28 [DEBUG] LoginService - [Thread=Server(77)] 10.20.30.40 
- sessionid=1234 place order

28 Apr 2014 10:58:30 [DEBUG] LoginService - [Thread=Server(77)] 10.20.30.40 
- sessionid=1234 logout

Step 3: Identify a data pattern for indexing the data

Identify a data pattern that captures the pattern in the log file. You can use one of the existing data patterns, or you can create a one. For more information, see Managing data patterns.

Sample data pattern details

Dd MMM yyyy kk:mm:ss

%{Mytimestamp:timestamp} 
\[%{Data:debuglevel}\] 
%{Data:component} - 
\[Thread=%{Data:threadid}\] 
%{Ip:clientip} - 
%{MultilineEntry:details}

Mytimestamp: 
%{DigitDay:day}\s+
%{Month:month}\s+
%{FullYear}\s+
%{Hour}:%{Minute}:%{Second}

Timestamp, debuglevel, threadid, classname, method, 
linenum, clientip, details

debuglevel, threadid, classname, method, linenum, clientip

When you apply the preceding pattern (details) to sample data entries, you can see that the following lines are extracted:

Timestamp: 28 Apr 2014 10:58:28
Debuglevel: DEBUG
component: LoginService
Threadid: Server(77)
Clientip: 10.20.30.40
details: Login request from user=Mike

Timestamp: 28 Apr 2014 10:58:28
Debuglevel: DEBUG
component: LoginService
Threadid: Server(77)
Clientip: 10.20.30.40
details: some other message user=Mike sessionid=1234
user: Mike
sessionid: 1234
price=123

Step 4: Create a data collector by using the data pattern identified in step 3

Create a data collector (for example Monitor file on Collection Agent) based on your environment and where your data resides. For more information, see Managing data collectors.

Specify tags during the data collector creation to enable effective searching.

Sample tags:

Step 5: Perform a search

Use search strings that contain name=value pairs, fields, tags, and search commands.

For more information, see the following topics:

• Searching the data
• List of search commands

Sample search strings

appgroup=myapp

appgroup=myapp | group user,sessionid

appgroup=myapp | group user,sessionid | filter greaterthan(duration, "30")

appgroup=myapp | group user,sessionid | filter match(user, "special_user")

Step 6: Create a saved search

Create a saved search for any important search queries that you might want to reuse in the future. For more information, see Managing saved searches.

Sample search query for creating a saved search

appgroup=myapp | group user,sessionid | filter match(user, "special_user")

Step 7: Create a notification based on the saved search

Saved search

appgroup=myapp | group user,sessionid | filter match(user, "special_user")

Use the following input to create the notification:

• Condition count: > 0
• Email notification to: admin@acme.com

For more information, see Managing notifications.