Creating a Data Monitor
Where: Navigator > Resources > Dashboards > Data Monitors tab
-
Right-click a data monitor group and choose New Data Monitor.
-
In the Data Monitor Editor, select a Data Monitor Type from the drop-down menu.
Data Monitor Types
Data Monitor Type
Description
Enumerate the number of real-time hits (events) that occur per asset category, by priority, within a time interval.
Provide flow-volume level correlation between two different event streams (based on two different specified filters).
Draw real-time diagrams of selected event activity. Automates the graphing of attacks in real-time. The manual operations are described in Graphing Attacks.
Draw a real-time geographic map of selected events. In effect, it does automatically and in real-time what you can do manually, as described in Graphing Attacks.
Draw an image made up of proportionally sized panels where each panel represents a group of events selected by group fields selected in the source node identifier. A source-node criteria could be a combination of fields.
The Hierarchy Map data monitor includes several enhancements, as described in Hierarchy Map Features.
Display the total count of events on an hourly basis along with their Priority.
Order events based on a specified configuration. In the Table Viewer, the monitor displays the most recent events by Priority, Event Name, Protocol, and Category. With the BarChartTable configuration, the order is by Priority and Event Name. The PieChart configuration is ordered by Priority.
Provide an extra level of abstraction that you can use to simplify the information presented to operators. Sometimes called indicator lights or heads-up displays, these monitors show graphics that translate more complex values into simple, rapidly observable results such as green/amber/red signal lights or checkmark/asterisk/exclamation point symbols.
Last State
data monitors could also be called most recently known state monitors.Display the moving average of events by a selected data field. The display provides a running count of events within a specified time frame and generates an event when the moving average changes significantly.
Display rules that have partial matches and the total number of partial match events within a specified time frame. For more information on partial matches, see Managing Rule Actions.
Provide a broader generalization of Moving Average data monitor functionality, except that it allows selection of other statistical methods in addition to Moving Average. Statistical methods include Average, Moving Average, Standard Deviation, Skew and Kurtosis, as well as Moving Average. These added capabilities could be used to detect anomalous behavior that could not be detected using moving average alone.
Provide measurements based on ArcSight Manager internal monitoring system Java classes and attributes.
A number of system monitors that might be particularly useful to ArcSight administrators are provided as predefined System Data Monitors that you can include in your dashboard displays to monitor system performance.
Similar to System Monitor, except that, rather than provide measurements for all attributes of a specified Java class, focus on a single specific attribute of a given ArcSight Java class. Used primarily for measurements on attributes that provide complex data structures.
Display top events by selected data field, the total number of events, and the event Severity within the total number of events with the Table and BarChartTable viewer configurations.
-
Based on the data monitor type you have selected, specify values and options in the applicable fields to define the data monitor's data collection. Details on fields and appropriate values are given in the information about each data monitor type.
Note: Depending on the permissions associated with the user group to which you belong, you may or may not have an option to Enable (deploy) or disable (un-deploy) the data monitor. For more information, see Enabling or Disabling a Data Monitor.
-
If the data monitor uses data fields for evaluation, use the Variables tab to create a new specialized field, if necessary.
The following data monitors support variables:
- Event graph
- Hierarchy Map
- Last N Events
- Last State
- Moving Average
- Statistics
- Top Value Counts (bucketized)
-
If the Data Monitor type supports drill downs to other resources, use the Drilldown tab to configure it. The following types of Data Monitors support drilldowns:
-
Event Graph
-
Hierarchy Map
-
Last N Events
-
Last State
-
Moving Average
-
Statistics
-
Top Value Counts (Bucketized)
See Adding a Drilldown for instructions.
-
-
Click OK.
If you select a data monitor that does not support variables, the Variables tab is disabled.
You can also add a global variable anywhere fields can be added. See Adding a Global Variable to a Data Monitor.
To add the new monitor to the current dashboard, right-click it and choose Add to Dashboard As.