Patterns Page

  8 minute read  

Patterns Page

The Logs - Patterns page displays detected patterns including those with a negative sentiment. It is populated based on the configurations of your processors, specifically the clustering processor. This processor type finds patterns in logs, and then groups (or clusters) these patterns based on similarities.

There are default processors already configured when you install an agent.

To learn more, see Processors.

Negative Patterns Graph

This graph displays patterns that contain a negative term. A negative pattern is based on the negative terms in the Sentiment Patterns section of the Data Pipeline - Pipeline Settings page.

If any negative term is detected in a pattern, then that pattern will be considered a negative pattern; however, if a neutral term is also contained in the pattern, then the pattern will not be considered negative.

In other words, if a pattern contains both a negative and a neutral term, then the neutral term will override the negative term.

All Patterns Graph

This graph displays both negative and neutral patterns. Patterns are negative or neutral based on the terms detected in the pattern. A list of negative and neutral terms are located in the Sentiment Patterns section of the Data Pipeline - Pipeline Settings page.

Viewing Graph Details

There are 2 ways to view additional detailed information about the graph entries.

• You can hover over a specific graph entry to view the Name, Count and Timestamp.
• You can click on a specific graph entry to open the Cluster Samples page to view cluster-related information for the selected graph entry, including a breakdown of the detected pattern.

Top Patterns Table

The Top Patterns table consists of the following fields:

You can click on a specific table entry to open the Cluster Samples page to view cluster-related information for the selected table entry, including a breakdown of the detected pattern.

Pattern

This column displays the name of the detected pattern. Pattern names are based on the agent’s configuration, specifically clustering processors. To learn more, see Processors.

Count

This column displays the number of detected instances of the pattern within the configured lookback period.

% Of Total

This column displays the percentage of the pattern that was detected in relation to all other detected patterns. For example, if this column displays 18%, then the corresponding pattern makes up 18% of all detected patterns.

Delta P.P. (Delta Day, Delta Week)

This column displays a percentage to indicate if the pattern’s detection increased or decreased in the previous lookback period. In other words, this column’s percentage is a comparison of the pattern’s detection from the previous lookback period and current lookback period.

For example, if you set a lookback period of 24 hours, then the Patterns page will display patterns from the previous 24 hours. As a result, this column will display a percentage of the pattern’s detection from 48 hours ago (the previous lookback period) and 24 hours (the current lookback period).

Sentiment

This column displays the sentiment score for the corresponding pattern.

A sentiment score can range from a negative number to 0.

In this column:

• A negative number is represented by a thumbs down.
• A neutral number is represented by a double arrow <->.

Filter Options

You can filter the Negative Patterns and the All Patterns graphs on the Logs - Patterns page with the following filter options:

Group By

This option allows you to filter data based on data sources. The listed data sources are based on the selected tag and source type. To select a tag and source type, on the top, right corner, click Filters. Select a tag, and then select an input type. The Group By menu will refresh with data sources associated with the tag.

Include

This option allows you to filter for specific terms:

If a specified term is not detected in a pattern, then that pattern will not be displayed in the app.

If you specify both an Include term and an Exclude term, then the Exclude term will override potential filter conflicts.

Exclude

This option allows you to filter for specific terms. If a specified term is not detected in a pattern, then that pattern will be displayed in the app.

If you specify both an Include term and an Exclude term, then the Exclude term will override potential filter conflicts.

Pattern Merge Level

This option allows you to merge similar patterns together. As a result, if you select a pattern merge level, then the list of unique patterns will be reduced.

• High indicates a higher probability of merging patterns that are similar.
• Low indicates a lower probability of merging patterns that are similar. As a result, with low, more unique patterns will display.
• None will not merge any similar patterns.

Compare to

• Previous Period This option will add a Previous Period measure to the All Patterns graph to indicate if the pattern’s detection increased or decreased compared to the previous lookback period.

• 24h Prior This option will add a new column in the Top Patterns table, named Delta 24h. This column will display a percentage to indicate if the pattern’s detection increased or decreased in the previous 24 hours.

• 7d Prior This option will add a new column in the Top Patterns table, named Delta 7D. This column will display a percentage to indicate if the pattern’s detection increased or decreased in the previous 7 days.

Volatile (View Options)

This option will display newly detected patterns or patterns with a high anomaly score.

Unique (View Options)

This option will display one graph entry for each detected pattern; the graph will not display multiple entries for the same pattern. Specifically the label for the y-axis of the graphs will update to display Unique Counts.

Extra Filtering Options

On the right-side of the graphs, on the color-coded legend, you can click on a particular entry to show (or hide) that entry in the graph. In the legend, an entry that is gray indicates that the entry is not displayed in the graph. You can click on entry to restore the color and to display the entry in the graph.

Filter Pane

In the filter pane, you can filter the Patterns page by Agent Tag, Source Type, Source, and Host.

Monitors

Monitors, specifically the pattern-check and pattern-skyline monitors, analyze the behavior of the pattern. If an anomaly is detected with the pattern data, then the monitor will create a finding.

Relate information:

• Anomalies.
• Anomaly Metrics
• Monitors

Configuring Patterns

To configure patterns, click Data Pipeline - Pipeline Settings. The Sentiment Patterns section lists negative and neutral terms. These terms are used to determine if a detected pattern is a neutral pattern or a negative pattern.

If a pattern contains a negative term, then a negative score will be assigned to the pattern. If a pattern contains multiple negative terms, then a lower negative score will be assigned to the pattern. A neutral term will override a negative term. In other words, if a neutral term is detected in the pattern, then a score of 0 will be assigned, regardless if the pattern contains several negative terms. A negative pattern is based on the negative terms in the Sentiment Patterns section.

Creating Alert Monitors

You can create a pattern alert monitor and a skyline alert monitor to analyze a pattern’s behavior.

See the Monitors Page.

Suppressing Notifications

You can suppress notifications for a specific finding. When you suppress a finding, the finding will no longer be displayed in the Insights page. Additionally, any future detection of the finding will not be displayed.

By default, in the Edge Delta App, the button to suppress notifications is hidden. As a result, you must enter a URL with the specified finding ID to view the button in the app.

Suppress findings generated from a pattern alert monitor

1. Click Metrics, and then click Anomalies.
2. Click Monitor Findings to filter the table.
3. Locate the desired finding, and then copy the Finding ID.
4. Open a new tab and enter one of the followign URLs:

• To suppress a finding generated from a pattern alert monitor, enter the following URL. You must replace FINDINGIDwith the finding ID you copied earlier. https://app.edgedelta.com/patterns?lookback=168h&pattern_offset=&pattern_merge_level=None&pattern_finding_id=FINDINGIDd&fb=true
• To suppress a finding generated from a skyline alert monitor, enter the following URL: https://app.edgedelta.com/patterns?lookback=168h&pattern_offset=&pattern_merge_level=None&fb=true You will be redirected to the Patternspage with the specified filters already applied, including the finding_id.

If you receive an error message about an invalid finding ID, click Filters, expand the date range, and then click Apply Filters. If the date range does not include when the finding Id was generated, then the finding ID may be considered invalid.

In the top menu with filtering options, locate the Finding Status option. To suppress notifications for the specific findings, ensure that the Finding Status is Inactive.

Viewing Neutral Patterns

To view a list of neutral patterns, you can:

• (Option 1) Access the Overview page, and then review the information listed in the Top Neutral Patterns table.

• (Option 2) Access the Patterns page, and then update the filter settings to remove any negative patterns.

1. Click Data Pipeline - Pipeline Settings.
2. Expand Sentiment Patterns and copy the text under Negative Patterns.
3. Return to the Patterns page and paste the copied text in the Exclude filter.