- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content

Hi Experts,

I need help to understand the concept behind top value count data monitor. The definiton in the user guide is not helping me. Here is the output and configuration of a default data monitor provided by ArcSight "Top Event Sources".

Can somebody please explain me that where all these three values fit with respect to the output presented here.

1. Availability interval of 30sec ( I observed that time period at the bottom of the graph is getting changed in every 30 seconds as configured but many times it failed to get refreshed in exactly 30 sec means some time after 30 sec and sometime before 30 sec it got refreshed.)

2. Bucket Size of 120 secs ( what is happening in the 120 sec of time duration.)

3. No. of bucket 30 ( what this 30 is being used for?)

I have read that total interval of the graph will be 120*30 sec = 1 hour but not able to correlate it with the grpah and numbers displayed here. I have also searched and seen all the threads related to this but could not get the clarity on this.

Any help would be highly appreciated.

Accepted Solutions

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content

The bucket size is the window of time in which it will collect each sample. When set to 120 seconds, it collects numbers on all events matching your filter for a 2 minute window. The number of buckets is how many samples it will keep online at a given time. 30 buckets of 120 seconds each means you're constantly seeing numbers of the last one hour of data.

Setting the availability interval at 30 seconds when the bucket size is 120 seconds is not going to do much for the dashboard. The data monitor is collecting events in 120 second chunks, so that just means the dashboard will be refreshed 4 times for every 1 update. (i.e. 3 refreshes in a row will show nothing new, and then the 4th one will show updated numbers)

Assuming the graph you showed as an example was after the data monitor had been running for at least an hour, the graph indicates that there were 1888 total matches spanning 3 different combinations of vendor/product. If it ever finds more unique combinations of vendor/product than the "# top entries" value (20 in your case) then the rest will be accumulated into a value labeled "Other."

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content

The bucket size is the window of time in which it will collect each sample. When set to 120 seconds, it collects numbers on all events matching your filter for a 2 minute window. The number of buckets is how many samples it will keep online at a given time. 30 buckets of 120 seconds each means you're constantly seeing numbers of the last one hour of data.

Setting the availability interval at 30 seconds when the bucket size is 120 seconds is not going to do much for the dashboard. The data monitor is collecting events in 120 second chunks, so that just means the dashboard will be refreshed 4 times for every 1 update. (i.e. 3 refreshes in a row will show nothing new, and then the 4th one will show updated numbers)

Assuming the graph you showed as an example was after the data monitor had been running for at least an hour, the graph indicates that there were 1888 total matches spanning 3 different combinations of vendor/product. If it ever finds more unique combinations of vendor/product than the "# top entries" value (20 in your case) then the rest will be accumulated into a value labeled "Other."

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content

##
Re: Need info about Top Value Count data monitor

Thank you very much deathbywedgie.

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content

##
Re: Need info about Top Value Count data monitor

Just one doubt deathbywedgie,

As per your explanation can I take it as, values should not be changed in the graph within one bucket time (in this case, 120 sec). Graph values will always change at least with an interval of 120 seconds as DM will take sample of next 120 seconds and sum it up with last 29 buckets. If this is the case, then refresh interval of DM must be equal to or more than the bucket size.

Please let me know if my understanding is correct.

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content

##
Re: Need info about Top Value Count data monitor

DBW is right,

Availability Interval = After how many second the data monitor should make new data available (aka, how often to update the graph / chart)

You'd probably want this value higher if not equal to the bucket size, not lower. If you select a higher value like 240 in your example then each update to the graph will have 2 new data points. Setting this equal to your bucket size will get you a new data point at each bucket.

-Grant

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content

##
Re: Need info about Top Value Count data monitor

Agreed... it may not necessarily *hurt* anything to have the refresh interval set more often, but it doesn't help anything either. I don't think it puts any significant load on ESM when a dashboard refreshes the view, so I typically always make the refresh interval identical to the bucket size.