Exploring Data
Last updated on 02 June, 2023How you work with LM Dexda depends on how your LM Dexda workflows are configured with regard to rules and actions. You can fully automate LM Dexda’s event management processes so that insights are created based on alert correlations and escalated into ServiceNow incidents. Similarily, singleton alerts (alerts that cannot be grouped into new or existing clusters) can be automatically escalated into ServiceNow incidents once their correlation timeout has lapsed.
You can also manually trigger incident creation by interacting with the Dashboard and Explore pages. By using rules filters to target action workflows for specific records, you can direct some alerts or insights towards a manual workflow, and others to an automatic. How you set it up depends on your IT Operation requirements. Regardless of workflow, LM Dexda provides multiple options to help you track issues. For more information, see Using Dashboards.
The Explore page provides a free form of exploration when investigating issues. Using the options in the Explore page you can drill down into insights, alerts, and events. You can apply filters to queries, investigate details for each issue, and decide upon an action if needed.
Working with the Explore Page
Select the Explore option in the navigation bar to open the Explore page.
The upper part displays a graph showing the distribution of the all record types across a time range. By default data analyses of the previous 24 hours of data are displayed. The lower part is a result panel displaying the top 200 results matching a search query.
Query results are displayed by record type:
- Insights shows actionable alerts created from machine learning processing of events.
- Alerts are actionable alerts created by processing of events using rules.
- Events are data received through collection from event sources such as monitoring tools.
Changing the Time Range
Use the following options to change the time range filtering:
- Select and drag in the graph to change the time range.
- Select the calendar icon in top right to set a predefined time range.
- Select the calendar icon and then Custom, and use the From/To date pickers to define a time range.
- Select Last 24 hours to restore the default time range.
Creating a Query Using Filters
Filters are useful to narrow the number of items displayed when investigating an issue. To narrow a search, start by adding a filter in the top level search bar. If needed, continue by filtering items in the table lists.
Top level filtering
- Select the record type – Insights (default), Alerts, Events.
- Select Add filter at the top to display a set of predefined filtering options.
- Select the desired field, operator, and value. The filter is automatically pinned to the top.
- Continue to drill down into the data by selecting more options from Add filter. The pinned filter is automatically built out with the added criteria.
- If needed, continue by filtering items in the table list.
Note: Queries are built up in the URL bar of the browser. You can copy this URL to store or share the query.
Filtering in table lists
- Right-click on an item in a list and select Add Filter. This adds a filter based on the column value for the selected item in the list.
- Created filters are pinned to the top where you can edit or remove them.
- Continue to drill down into the data by selecting more options from Add filter. The pinned filter is automatically built out with the added criteria.
More Options
The following describes some additional options when investigating issues.
Sorting a table list
- Select a column header to sort the data in ascending or descending order.
- To sort multiple columns, hold down the cmd or ctrl key and select the desired column headers. Select the column headers again to remove the sorting.
Configuring column display
- Select Columns to the right of the panel to select fields to add or remove columns for, and to change their display order.
- You can also change the column display order by dragging and dropping columns into the preferred order.
Working with Details Pages
The details pages for an issue can help you drill down further to identify causes and decide on actions if any. Depending on the type of record – insight, alert, or event, you will see different types of information. For example error descriptions, time ranges and durations, related alerts an events, originating monitored sources, and correlation model used for insights.
Accessing Details Pages
Select a row in a table list and select Details to open the Details page for a selected item. Alternatively, open the More options menu at the end of an item line, and select Details.
Note: The Details (Insight, Alert, Event) page opens in a new window with a specific URL that you can share with colleagues when collaborating to solve issues.
Exploring Insight Details
Insights are actionable alerts created from machine learning processing of events, and alerts grouped through correlation models. The Insight Details page provides an overview of information specific for a selected insight.
The following table describes some of the available information when investigating an insight.
| Feature | Description |
| Overview | The upper panel displays a timeline where alerts associated with the item is layed out sequentially as they occur. The graph area displays the sources from where associated events occurred, and Causal CI associated with the selected insight. Hover over it or select the menu to see more details for the CI. |
| Information | This tab provides an overview of details associated with the insight, in table format. Useful for example to copy details from. |
| Alerts and Events | The lower panel displays alerts and events related to the investigated insight. From here you can sort data, add filters, inspect details, and perform actions in the same way as described earlier when working with the Explore page. |
| Links | Links in the left panel provides a URL to the details view for the selected insight, for sharing and storing the insight details. |
| Tags | Tags are added through machine learning by analyzing the description field of alerts contained in a correlation. For more information, see About Correlation Models. |
| Duration | The time range during which the first and last alerts associated with the selected insight were observed. |
| Alert Count | The number of correlated alerts associated with the selected insight. |
| Tenant | The tenant that is associated with the selected insight. Used with multi-tenant scenarios, see Grouping by Tenant and Domain Separation. |
| Correlation | The correlation(s) associated with the insight. From here you can select View Model to access the Create Correlation Page for the specific correlation model used. This is useful to understand how the insight was created, and to adjust the correlation model if needed. For more information, see About Correlation Models. |
Exploring Alert Details
On the Alert Details page you can investigate details about a selected alert. Right-click on an alert in the list on the Explore page and select Details to open the Alert Details page.
Available options when investigating an alert:
- The right panel displays insights and events associated with the alert. Right-click an item in the list to explore its details and act on it.
- The Information tab provides an overview of details associated with the alert, in table format. Useful for example to copy details from.
- CI is the Configuration Item (CI) associated with the selected alert.
- Object shows the component of the CI that the alert pertains to. This can be the CI itself, a filesystem for example “C:”, or a network switch interface.
- Name is the name of the metric or measure being reported in the alert, for example, “Ping Failed” or “High Interface Utilization”.
- Description provides a text summary of the alert.
Exploring Event Details
On the Event Details page you can investigate details about a selected event. Right-click on an event in the list on the Explore page and select Details to open the Event Details page.
Available options when investigating an event:
- The right panel displays insights and alerts associated with the event. Right-click an item in the list to explore its details and act on it.
- The Information tab provides an overview of details associated with the event, in table format. Useful for example to copy details from.
- CI is the Configuration Item (CI) associated with the selected event.
- Object hows the component of the CI that the event pertains to. This can be the CI itself, a filesystem for example “C:”, or a network switch interface.
- Name is the name of the metric or measure being reported in the event, for example, “Ping Failed” or “High Interface Utilization”.
- Description provides a text summary of the event.
Acting on Issues
You can select Actions from the options menu at the top left corner to manually act on an issue from a Details page. You can for example create an incident, assign it to yourself, or close it. For more information on incident management workflows, see Using Dashboards.