Service Analytics

The Service Analytics (com.snc.sa.analytics) plugin enhances Event Management by providing analytic functionality.

Event Management analytic capability supports alert data analysis and alert aggregation for technical services, manual services, and alert groups. It also provides root cause analysis (RCA) for business services discovered by Service Mapping, manual services, and automated alert groups that were correlated by timestamp.

With the Event Management analytic capability, you can do the following:
  • Aggregate alerts to create automated alert groups.

    Correlate alerts according to timestamps and CI identification to create automated alert groups. Alert correlation helps organize incoming real-time alerts and reduce alert noise.

  • Apply RCA to automated alert groups.
  • Apply RCA to discovered business services and to manual services.
  • Correlate alerts based on CIs' relationships in the CMDB to create CMDB alert groups.
  • Generate a pattern for a manual alert group and then create an automated alert group according to that pattern.
  • Visualize the correlation between alerts, services, and root cause CIs for discovered business services and for manual services in a service map.

Alert aggregation

Alerts are grouped based on the CI that is associated with the alerts. Service Analytics groups alerts that are similar, but not necessarily identical, and also based on how close in time the alerts were created.

Alert aggregation has these components:
Alert Aggregation Learner
An offline job that runs once a day to process past alerts. The Alert Aggregation Learner identifies patterns of related alerts using a combination of pattern-based and probabilistic techniques. If the sa_analytics.agg.learner_group_by_property property is set, then before processing starts, the Alert Aggregation Learner groups alerts by the specified CMDB property.
Real Time Query
A scheduled job that runs every minute and updates alert aggregation groups. It tries to match real-time alerts with alert patterns stored in the alert knowledge base.

RCA for automated alert groups

Service Analytics applies RCA algorithms to automated alert groups if you set the Enable Alert Correlation RCA property to true. RCA identifies the root cause alert within the automated alert group. RCA helps to direct resources to the root cause CI of a problem. Root cause alerts are displayed in the Alert Console.

RCA for discovered business services and manual services

Service Analytics applies RCA algorithms to discovered business services and to manual services to identify a root cause CI within the service. Service Analytics then aggregates similar alerts from the root cause CI and from its related CIs into an automated alert group. An operator can drill down and determine which CIs and alerts are affecting discovered business service and manual service health. This helps to easily identify related issues across the data center, in the context of services.

Alerts for technical services and alert groups are not associated with a service model and do not undergo RCA. Other than being correlated by time and CI, these alerts are not necessarily related by the same underlying problem.