Quick start

This topic describes an end-to-end approach to enable you to get started with the BMC TrueSight IT Data Analytics (or IT Data Analytics) product as a new user and start collecting data and using the product features.

Scenario: My application has a special user who is required to administer the application. This user has additional privileges that he can use for placing orders. However, this user must not be used for placing any order using my application. I want to be notified every time this user tries to place an order.

The following sections will guide you through the process:

Related topics

Where to find more information

Getting-started

Using

Administering 

Step 1: Download and install IT Data Analytics

For more information, see Installing.

Step 2: Locate and analyze the data

Locate and analyze the log file generated by the application that you want to index. For more information, see Managing-data-patterns.

Sample data

28 Apr 2014 10:58:28 [DEBUG] LoginService - [Thread=Server(77)] 10.20.30.40
- Login request from user=Mike

28 Apr 2014 10:58:28 [DEBUG] LoginService - [Thread=Server(77)] 10.20.30.40
- some other message user=Mike sessionid=1234

28 Apr 2014 10:58:28 [DEBUG] LoginService - [Thread=Server(77)] 10.20.30.40
- sessionid=1234 add product=PenDrive to cart price=123

28 Apr 2014 10:58:28 [DEBUG] LoginService - [Thread=Server(77)] 10.20.30.40
- sessionid=1234 add product=Phone to cart price=345

28 Apr 2014 10:58:28 [DEBUG] LoginService - [Thread=Server(77)] 10.20.30.40
- sessionid=1234 place order

28 Apr 2014 10:58:30 [DEBUG] LoginService - [Thread=Server(77)] 10.20.30.40
- sessionid=1234 logout

Step 3: Identify a data pattern for indexing the data

Identify a data pattern that captures the pattern in the log file. You can use one of the existing data patterns, or you can create a one. For more information, see Managing-data-patterns.

Sample data pattern details

Date format

Primary pattern

Subpatterns

Dd MMM yyyy kk:mm:ss

%{Mytimestamp:timestamp}
\[%{Data:debuglevel}\]
%{Data:component} -
\[Thread=%{Data:threadid}\]
%{Ip:clientip} -
%{MultilineEntry:details}

Mytimestamp:
%{DigitDay:day}\s+
%{Month:month}\s+
%{FullYear}\s+
%{Hour}:%{Minute}:%{Second}

Fields to be extracted

Timestamp, debuglevel, threadid, classname, method,
linenum, clientip, details

Fields to be searchable

debuglevel, threadid, classname, method, linenum, clientip

When you apply the preceding pattern (details) to sample data entries, you can see that the following lines are extracted:

Line 1 in sample data
Timestamp: 28 Apr 2014 10:58:28
Debuglevel: DEBUG
component: LoginService
Threadid: Server(77)
Clientip: 10.20.30.40
details: Login request from user=Mike
Line 2 in sample data
Timestamp: 28 Apr 2014 10:58:28
Debuglevel: DEBUG
component: LoginService
Threadid: Server(77)
Clientip: 10.20.30.40
details: some other message user=Mike sessionid=1234
user: Mike
sessionid: 1234
price=123

Step 4: Create a data collector by using the data pattern identified in step 3

Create a data collector (for example Monitor-file-on-Collection-Agent) based on your environment and where your data resides. For more information, see Managing-data-collectors.

Specify tags during the data collector creation to enable effective searching.

Sample tags:

Tag

Value

os

Linux

tier

application

appgroup

myapp

Step 5: Perform a search

Use search strings that contain name=value pairs, fields, tags, and search commands.

For more information, see the following topics:

Sample search strings

What to do?

Search string

Search the entire application, across all tiers

appgroup=myapp

Find all activity of users and their sessions

appgroup=myapp | group user,sessionid

Find users who lost interest quickly

appgroup=myapp | group user,sessionid | where greater than(duration, 30)

Find activity of all special users and their sessions

appgroup=myapp | group user,sessionid | filter match(user, "special_user")

Step 6: Create a saved search

Create a saved search for any important search queries that you might want to reuse in the future. For more information, see Managing-saved-searches.

Sample search query for creating a saved search

appgroup=myapp | group user,sessionid | filter match(user, "special_user")

Step 7: Create a notification based on the saved search

Saved search

appgroup=myapp | group user,sessionid | filter match(user, "special_user")

Use the following input to create the notification:

  • Condition count: > 0
  • Email notification to: admin@acme.com

For more information, see Managing-notifications.

 

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*