Analyzing event clusters for quick insights

When an issue is discovered with a device, the monitor that is set up for that device activates an event with a particular severity. Therefore, analyzing all events is important to understand the health of your environment. However, finding the event that needs immediate attention can be tedious and time-consuming.

BMC Helix Operations Management applies machine learning-based algorithm on the event list to identify events that are related to each other based on event messages, and groups them into clusters. These clusters compress event volume and provide a summarized view of your environments. Use these clusters to accelerate response time and make faster decisions.

On the Monitoring > Analytics page, event clusters of the latest 10,000 events are displayed by default. In addition, search by the group name to analyze grouped events or events generated for grouped devices. To cluster events, create a group first.

To create an event cluster query and analyze events

By default, the latest 10,000 events are clustered. You can use queries to further refine event clusters. On the Monitoring > Analytics page, perform the following steps to create an event cluster query and then analyze the events:

1. Create a query to filter events.

    Creating the query

   When you click in the box, you are prompted to make a selection. Each time you make a selection, you are progressively prompted to make another selection. 

   The query consists of Group Name, followed by Equals, and the group name for which you want to filter.

   Example query: Group Name Equals with_os_lin. When you analyze the query results, all events of the with_OS_lin group are displayed.

   The green tick mark indicates that the query syntax is correct.

   
   

   
   

2. From the time filter list, select the time for running the query.
3. Click Analyze.
   The green tick mark indicates that the query is correct.
   The text that matches in all events is shown in the cluster name and the part that is different is shown in ellipses.
   

To analyze an event cluster

In an event cluster, events with similar messages are grouped together. The event message based on which a cluster is formed is shown as a tooltip when you hover over the cluster. In the tooltip, ellipses represent the part of the message that is different in the clustered events.

The top 20 clusters (based on the number of events in a cluster) are shown as a query result. When you click an event cluster, the Event Summary page is displayed where you can view events by device or by severity. 

1. Event message that you are analyzing
2. Events by device or by severity

The following illustration shows events in a cluster by severity.

You can click a device or severity to view the list of events that are clustered for the device or severity.

1. Breadcrumbs that help you to navigate through the results.
2. Search box that enables you to search for an event message in the event list.

The following illustration shows the time range based on the option that you select in the time filter. You can change the time range to view results at different times. This time range is not displayed when you select the All option from the time filter.