The data monitor type is chosen when you create a new data monitor. For information on how to create a data monitor, see Creating a Data Monitor.
The Moving Average data monitor displays the moving average of events by a selected data field. The display provides a running count of events within a specified time frame and generates an event when the moving average changes significantly.
If a Moving Average data monitor is configured to display multiple graphs simultaneously, you can open it using the Statistics Chart or Tile format options described in Creating or Editing a Dashboard.
This data monitor calculates its statistics based on the number of requested samples. Until a full set of samples accumulate, the statistics approach their nominal value. This is indicated by appending /Partial to the event category if the values represent an incomplete sample. The purpose is to prevent false positives. This is most applicable to /DataMonitor/MovingAverage/Threshold/ events.
When either the Moving Average or Statistics data monitors gain or lose a value grouping during processing (for example, Priority), they issue an internal event. The data monitor's event categorization shows a Value/Add or Value/Remove suffix. This makes it possible to detect anomalous drops to zero, which can otherwise be missed if the monitor is removed because the discard threshold and a Threshold/Falling event could not be sent (due to exceeding the Maximum Alarm Frequency setting.
Both the Moving Average and Statistics data monitors have a Stats Value Field. When used, this attribute focuses the monitor's statistical analysis on the numeric value of a specified field rather than on the quantitative flow of events. Analyzing numeric fields within events enables a broad number of possibilities for status monitoring, especially with custom strings and ArcSight Audit Events.
The Value Calculation field offers additional time-sensitive options for monitoring in second or minute increments. Monitoring per-second can catch abrupt spikes or drops; monitoring per-minute allows the same capability but may be more appropriate for larger integer values.
|
Parameter |
Description |
|---|---|
|
Data Monitor Name |
Type a data monitor name. |
|
Enable Data Monitor |
Select the check box to enable the data monitor and collect data from the Manager. If not selected, the associated viewer configuration will not display any data. Depending on the permissions associated with the user group to which you belong, you may or may not have an option to Enable (deploy) or disable (un-deploy) the data monitor. For more information, see Enabling or Disabling a Data Monitor. |
|
Restrict by Filter |
Specifies whether to restrict the data monitor to a particular filter. When restricting by filter, you focus on a filter that is of particular interest to you and also reduce the number of events the data monitor retrieves. From the drop-down menu, double-click a filter or accept the default to receive all events. |
|
Availability Interval |
Set the number of seconds to use as the interval between monitor updates. |
|
Select Field Set |
Specify a field set for use in data monitor drill-downs. When this data monitor is displayed, the user can double-click on a chart area or table row that represents an event to bring up a drill-down channel for that event. The field set specified here will determine the columns (fields) shown in the drill-down channel. (See Monitoring Dashboards for information on data monitor drill-downs.) |
|
Stats Value Field |
Specify a particular numeric field within events to use for statistical evaluation, rather than the overall flow of events. For example, specifying the Priority field would focus the data monitor on changes to the value of the Priority field in events, instead of on changes to the number of events encountered. The default is Aggregated Event Count, which is the sum of all aggregated events. Tip: Events can be aggregated at the Connector on specified fields. This pares down the number of events of the same type that the Manager must process. |
|
Value Calculation |
Controls the way the time-based accumulation of values is evaluated against the number of events involved. The default is Sum of values, which is the sum of all Stats Value Field event values. Average value per event divides the value by the number of events in the unit. Average value per second divides the value by the number of seconds in the unit. Average value per minute divides the value by the number of minutes in the unit. For finer time-sensitive value calculations, also consider using the Number of Samples and Sampling Interval so results are neither too shallow or too acute to be meaningful. |
|
Group By |
Group by the specified field (for example, Priority) |
|
Sorted By |
Sort by the values found in fields or by the percentage of change in those values. |
|
Alarm Change Threshold (%) |
Specifies the moving average threshold, the percent change from the moving average, that will send a threshold exceeded event to the ArcSight Console. The threshold exceeded event is sent to the Console and can be used to create a rule. For more information on rules, see Managing Rule Actions. Type in a percentage. The default is 50. |
|
Number of Samples |
Type the number of Sampling Intervals to use to calculate the moving average, in seconds. The most recently stored Sampling Intervals are used to calculate the moving average. For example, if five Number of Samples are used, the last five Sampling Intervals are used to calculate the moving average. |
|
Number of Visible Groups |
Set the number of rows of results to display in the data monitor for each combination of ordering fields specified in the Group By parameter. |
|
Sampling Interval |
Type the time interval used to calculate the moving average, in seconds. For example, if the Sampling Interval is 5 minutes, the moving average is calculated every 5 minutes. The default is 300. |
|
Group Discard Threshold |
Specifies the minimum event counts needed to generate a threshold exceeded event. For example, event count could change from 1 to 2, a 100% change that results in a threshold exceeded event. To prevent these types of changes from generating a threshold exceeded event, specify the minimum event counts needed. If you want all events generated regardless of the event count, type 0. |
|
Maximum Alarm Frequency |
Minimum time (in seconds) to wait before sending alarms for the same group. |
For example, you could design a Moving Average data monitor that displays the moving average of events on a per-source-address basis.
In ArcSight Reports/Custom Reports/Moving Average Report, you can specify the name of the dashboard as a parameter (same as the moving average event name), and specify the detect time range to report on.
Note: You can also have a rule trigger based on the moving average of events coming in, independent of defining reports based on moving average events.