Statistics Data Monitor
The data monitor type is chosen when you create a new data monitor. For information on how to create a data monitor, see Creating a Data Monitor.
The Statistics Data Monitor provides a broader generalization of Moving Average data monitor functionality, except that it allows selection of other statistical methods in addition to Moving Average. Statistical methods include Average, Moving Average, Standard Deviation, Skew, and Kurtosis. These added capabilities could be used to detect anomalous behavior that could not be detected using moving average alone.
For example, monitoring the standard deviation of event data allows alarms to be triggered when there are sudden shifts in the rate of change of an event flow. This would allow alarms to be triggered when the protected network has been infected with a worm, but not when the network traffic rises due to normal use.
Both the Statistics and Moving Average data monitors have a Stats Value Field. When used, this attribute focuses the monitor's statistical analysis on the numeric value of a specified field rather than on the quantitative flow of events. Analyzing numeric fields within events enables a broad number of possibilities for status monitoring, especially with custom strings and ArcSight Audit Events.
In dashboards, you can see Statistics data monitors as Statistics Chart or Tile views. Click the View as icon button (
) at the lower-right corner to choose. When in Tile view, you can use the Customize button (
) to change the way data is ordered in the tabular (tiled) presentation. The customization choices are by row-and-column and by cell. Row-and-column is quicker to set up than cell because there are fewer adjustments, but cell does give you the option to set the contents of each tile in the data monitor.
When either the Moving Average or Statistics data monitors gain or lose a value grouping during processing (for example, Priority), they issue an internal event. The data monitor's event categorization shows a Value/Add or Value/Remove suffix. This makes it possible to detect anomalous drops to zero, which can otherwise be missed if the monitor is removed because the discard threshold and a Threshold/Falling event could not be sent (due to exceeding the Maximum Alarm Frequency setting.
These tiled views are "fixed," meaning that the tiles in the array will keep their positions, relative to each other and to the dashboard.
|
Parameter |
Description |
|---|---|
|
Data Monitor Name |
Enter a data monitor name. |
|
Enable Data Monitor |
Select the check box to enable the data monitor and collect data from the Manager. If not selected, the associated viewer configuration will not display any data. Depending on the permissions associated with the user group to which you belong, you may or may not have an option to Enable (deploy) or disable (un-deploy) the data monitor. For more information, see Enabling or Disabling a Data Monitor. |
|
Restrict by Filter |
Choose to restrict the data monitor to a particular filter. When restricting by filter, you focus on a filter that is of particular interest to you and also reduce the number of events the data monitor retrieves. |
|
Availability Interval |
Set the number of seconds to use as the interval between monitor updates. |
|
Select Field Set |
Specify a field set for use in data monitor drill-downs. When this data monitor is displayed, the user can double-click on a chart area or table row that represents an event to bring up a drill-down channel for that event. The field set specified here will determine the columns (fields) shown in the drill-down channel. (See Monitoring Dashboards for information on data monitor drill-downs.) |
|
Statistics Type |
Choose the type of statistical calculation the data monitor will perform. The available types are Average, Identity, Kurtosis, Skew, Standard Deviation, and Variance. |
|
Stats Value Field |
Specify a particular numeric field within events to use for statistical evaluation, rather than the overall flow of events. For example, specifying the Priority field would focus the data monitor on changes to the value of the Priority field in events, instead of on changes to the number of events encountered. |
|
Group By |
Group by the specified field (for example, Name) |
|
Sorted By |
Choose to sort results by value, sample count, statistics, or triggering criteria. |
|
Alarm Trigger Condition |
Enter a conditional expression on which to trigger alarms. You can use any mathematical expression that employs these three variables, using n as the Number of Samples: c = The new sample ps = Statistics from previous n samples excluding c s = Statistics from the last n samples including c For example, the following expression would trigger when the current sample goes beyond 500:
An expression that triggers when the statistics reach 500 would be:
As a matter of interest, the Moving Average data monitor is in effect a special case of the Statistics data monitor, based on this expression: where See Data Monitor Expressions for more information about the operators and functions supported in this and similar data monitor parameters that accept conditional expressions. |
|
Specify the number of most-recent Sampling Intervals to retain in memory and use to calculate event statistics. For example, if you set it to retain 5 sampling intervals, the last five periods (as specified in the Sampling Intervals attribute) are used to calculate the moving average. |
|
|
# of Groups to Display |
Set the number of rows of results to display in the data monitor for each combination of ordering fields specified in the Group By parameter. |
|
Sampling Interval |
Enter the time interval for recalculating event statistics, in seconds. For example, if the Sampling Interval is 5 minutes, the moving average is calculated every 5 minutes. |
|
Group Discard Condition |
Enter a condition (a filtering expression) by which to remove certain result rows from consideration in statistical calculations, based on the result ordering set in the Group By attribute. See Data Monitor Expressions for more information about the operators and functions supported in this and similar data monitor parameters that accept conditional expressions. |
|
Maximum Alarm Frequency |
Minimum time (in seconds) to wait before sending alarms for the same group. |