Maintenance outage for upgrade on Sunday, September 22

This site, docs.bmc.com, will be inaccessible for two hours starting at 8 AM CDT, Sunday, September 22, for a platform upgrade.

    Page tree
    Skip to end of metadata
    Go to start of metadata

    This topic describes an end-to-end approach to enable you to get started with the BMC TrueSight IT Data Analytics (or IT Data Analytics) product as a new user and start collecting data and using the product features.

    Scenario: My application has a special user who is required to administer the application. This user has additional privileges that he can use for placing orders. However, this user must not be used for placing any order using my application. I want to be notified every time this user tries to place an order.

    The following sections will guide you through the process:

    Related topics
     Where to find more information

    Step 1: Download and install IT Data Analytics

    For more information, see Installing.

    Step 2: Locate and analyze the data

    Locate and analyze the log file generated by the application that you want to index. For more information, see Managing data patterns.

    Sample data

    28 Apr 2014 10:58:28 [DEBUG] LoginService - [Thread=Server(77)] 10.20.30.40 
    - Login request from user=Mike
    28 Apr 2014 10:58:28 [DEBUG] LoginService - [Thread=Server(77)] 10.20.30.40 
    - some other message user=Mike sessionid=1234
    28 Apr 2014 10:58:28 [DEBUG] LoginService - [Thread=Server(77)] 10.20.30.40 
    - sessionid=1234 add product=PenDrive to cart price=123
    28 Apr 2014 10:58:28 [DEBUG] LoginService - [Thread=Server(77)] 10.20.30.40 
    - sessionid=1234 add product=Phone to cart price=345
    28 Apr 2014 10:58:28 [DEBUG] LoginService - [Thread=Server(77)] 10.20.30.40 
    - sessionid=1234 place order
    28 Apr 2014 10:58:30 [DEBUG] LoginService - [Thread=Server(77)] 10.20.30.40 
    - sessionid=1234 logout

    Step 3: Identify a data pattern for indexing the data

    Identify a data pattern that captures the pattern in the log file. You can use one of the existing data patterns, or you can create a new one. For more information, see Creating data patterns.

    Sample data pattern details

    Date formatPrimary patternSubpatterns
    Dd MMM yyyy kk:mm:ss
    %{Mytimestamp:timestamp} 
    \[%{Data:debuglevel}\]
    %{Data:component} -
    \[Thread=%{Data:threadid}\]
    %{Ip:clientip} -
    %{MultilineEntry:details}
    Mytimestamp: 
    %{DigitDay:day}\s+
    %{Month:month}\s+
    %{FullYear}\s+
    %{Hour}:%{Minute}:%{Second}
    Fields to be extracted
    Timestamp, debuglevel, threadid, classname, method, 
    linenum, clientip, details
    Fields to be searchable
    debuglevel, threadid, classname, method, linenum, clientip

    When you apply the preceding pattern (details) to sample data entries, you can see that the following lines are extracted:

    Line 1 in sample data
    Timestamp: 28 Apr 2014 10:58:28
    Debuglevel: DEBUG
    component: LoginService
    Threadid: Server(77)
    Clientip: 10.20.30.40
    details: Login request from user=Mike
    Line 2 in sample data
    Timestamp: 28 Apr 2014 10:58:28
    Debuglevel: DEBUG
    component: LoginService
    Threadid: Server(77)
    Clientip: 10.20.30.40
    details: some other message user=Mike sessionid=1234
    user: Mike
    sessionid: 1234
    price=123

    Step 4: Create a data collector by using the data pattern identified in the earlier step

    Create a data collector (for example Monitor file on Collection Agent) based on your environment and where your data resides. For more information, see Managing data collectors.

    Specify tags during the data collector creation to enable effective searching.

    Sample tags:

    TagValue
    osLinux
    tierapplication
    appgroupmyapp

    Step 5: Perform a search

    Use search strings that contain name=value pairs, fields, tags, and search commands.

    For more information, see the following topics:

    Sample search strings

    What to do?Search string
    Search the entire application, across all tiers
    appgroup=myapp

    Find all activity of users and their sessions

    appgroup=myapp | group user,sessionid

    Find users who lost interest quickly

    appgroup=myapp | group user,sessionid | filter greaterthan(duration, "30")
    Find activity of all special users and their sessions
    appgroup=myapp | group user,sessionid | filter match(user, "special_user")

    Step 6: Create a saved search

    Create a saved search for any important search queries that you might want to reuse in the future. For more information, see Managing saved searches.

    Sample search query for creating a saved search

    appgroup=myapp | group user,sessionid | filter match(user, "special_user")

    Step 7: Create a notification based on the saved search

    Saved search

    appgroup=myapp | group user,sessionid | filter match(user, "special_user")

    Use the following input to create the notification:

    • Condition count: > 0
    • Email notification to: admin@acme.com

    For more information, see Creating notifications.