Highlighted
amgupta Absent Member.
Absent Member.
1177 views

Need info about Top Value Count data monitor

Jump to solution

Hi Experts,

I need help to understand the concept behind top value count data monitor. The definiton in the user guide is not helping me. Here is the output and configuration of a default data monitor provided by ArcSight "Top Event Sources".

Top value Count data monitor config.GIF

Top value Count data monitor output.GIF

Can somebody please explain me that where all these three values fit with respect to the output presented here.

1. Availability interval of 30sec ( I observed that time period at the bottom of the graph is getting changed in every 30 seconds as configured but many times it failed to get refreshed in exactly 30 sec means some time after 30 sec and sometime before 30 sec it got refreshed.)

2. Bucket Size of 120 secs ( what is happening in the 120 sec of time duration.)

3. No. of bucket 30 ( what this 30 is being used for?)

I have read that total interval of the graph will be 120*30 sec =  1 hour but not able to correlate it with the grpah and numbers displayed here. I have also searched and seen all the threads related to this but could not get the clarity on this.

Any help would be highly appreciated.

Labels (1)
Tags (2)
0 Likes
Reply
1 Solution

Accepted Solutions
deathbywedgie1 Frequent Contributor.
Frequent Contributor.

Re: Need info about Top Value Count data monitor

Jump to solution

The bucket size is the window of time in which it will collect each sample. When set to 120 seconds, it collects numbers on all events matching your filter for a 2 minute window. The number of buckets is how many samples it will keep online at a given time. 30 buckets of 120 seconds each means you're constantly seeing numbers of the last one hour of data.

Setting the availability interval at 30 seconds when the bucket size is 120 seconds is not going to do much for the dashboard. The data monitor is collecting events in 120 second chunks, so that just means the dashboard will be refreshed 4 times for every 1 update. (i.e. 3 refreshes in a row will show nothing new, and then the 4th one will show updated numbers)

Assuming the graph you showed as an example was after the data monitor had been running for at least an hour, the graph indicates that there were 1888 total matches spanning 3 different combinations of vendor/product. If it ever finds more unique combinations of vendor/product than the "# top entries" value (20 in your case) then the rest will be accumulated into a value labeled "Other."

View solution in original post

5 Replies
deathbywedgie1 Frequent Contributor.
Frequent Contributor.

Re: Need info about Top Value Count data monitor

Jump to solution

The bucket size is the window of time in which it will collect each sample. When set to 120 seconds, it collects numbers on all events matching your filter for a 2 minute window. The number of buckets is how many samples it will keep online at a given time. 30 buckets of 120 seconds each means you're constantly seeing numbers of the last one hour of data.

Setting the availability interval at 30 seconds when the bucket size is 120 seconds is not going to do much for the dashboard. The data monitor is collecting events in 120 second chunks, so that just means the dashboard will be refreshed 4 times for every 1 update. (i.e. 3 refreshes in a row will show nothing new, and then the 4th one will show updated numbers)

Assuming the graph you showed as an example was after the data monitor had been running for at least an hour, the graph indicates that there were 1888 total matches spanning 3 different combinations of vendor/product. If it ever finds more unique combinations of vendor/product than the "# top entries" value (20 in your case) then the rest will be accumulated into a value labeled "Other."

View solution in original post

amgupta Absent Member.
Absent Member.

Re: Need info about Top Value Count data monitor

Jump to solution

Thank you very much deathbywedgie.

0 Likes
Reply
amgupta Absent Member.
Absent Member.

Re: Need info about Top Value Count data monitor

Jump to solution

Just one doubt deathbywedgie,

As per your explanation can I take it as, values should not be changed in the graph within one bucket time (in this case, 120 sec). Graph values will always change at least with an interval of 120 seconds as DM will take sample of next 120 seconds and sum it up with last 29 buckets. If this is the case, then refresh interval of DM must be equal to or more than the bucket size.

Please let me know if my understanding is correct.

0 Likes
Reply
grantsales
New Member.

Re: Need info about Top Value Count data monitor

Jump to solution

DBW is right,

Availability Interval = After how many second the data monitor should make new data available (aka, how often to update the graph / chart)

You'd probably want this value higher if not equal to the bucket size, not lower. If you select a higher value like 240 in your example then each update to the graph will have 2 new data points. Setting this equal to your bucket size will get you a new data point at each bucket.

-Grant

0 Likes
Reply
deathbywedgie1 Frequent Contributor.
Frequent Contributor.

Re: Need info about Top Value Count data monitor

Jump to solution

Agreed... it may not necessarily hurt anything to have the refresh interval set more often, but it doesn't help anything either. I don't think it puts any significant load on ESM when a dashboard refreshes the view, so I typically always make the refresh interval identical to the bucket size.

0 Likes
Reply
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.