Insights

George Alpizar
George Alpizar
  • Updated

Overview

You can use this document to learn about the data displayed in the Insights page. 

At a high level, the Insights page displays pattern-based anomalies, which comes from the configurations of your monitors, processors, and Kubernetes environment. 


Understand Data Types

Data Type Description
Processor Signals

A signal is a processor-based anomaly. In other words, signals are based on a processor's configurations.

Specifically, when a processor has an anomaly score that is higher than the configured threshold, a signal will be created and displayed on this page. 

Signals are the most common type of anomaly.

To learn more, see Processors Overview.

Monitor Findings
A finding is a monitor-based anomaly. In other words, findings are based on a monitor's configuration. 
 
There are 3 default monitors with every account:
  • Pattern Check
    • This monitor checks for anomalies in the patterns / clustering behavior. 
  • Pattern Skyline
    • This monitor checks for anomalies in the patterns / clustering behavior. 
  • Correlated Finding
    • This monitor checks for large spikes in the rate of signals. For example, if your account typically experiences 5 anomalies per hour, and 100 anomalies are detected, then a correlated finding will trigger. 
To learn more about monitors, see Monitors.
Kubernetes Events
An event is a Kubernetes-based anomaly.
 
By default, Edge Delta consumes Kubernetes system events, and then displays those events on the Insights page.

Filter Data

Review the following filter options that you can use to update the timeline / bar graph. 

Note

These filter options will not update the Signals, Findings, or Events table. 

Filter Option Description
Group By

This option allows you to filter data based on data sources. 

The listed data sources are based on the selected tag and source type. 

  • To select a tag and source type, on the top, right corner, click Filters. Select a tag, and then select an input type. The Group By menu will refresh with data sources associated with the tag. 
Previous Period (Offset)

This option will display an icon (a triangle) in the graph to indicate if detection for the signal, finding, or event increased or decreased in the previous lookback period. 

Last Week (Offset)

This option will display an icon (an inverted triangle) in the graph to indicate if detection for the signal, finding, or event increased or decreased in the previous week. 

Yesterday (Offset)

This option will display an icon (a square) in the graph to indicate if detection for the signal, finding, or event increased or decreased in the previous day. 

 


Understand the Timeline Graph and Bar Graph

To view detailed information about a specific signal, finding, or event, hover over a specific graph entry to view a pop-up window.

To better understand the data in the Timeline graph and in the Bar graph, review the following table:

  Timeline Graph Bar Graph
Processor Signals
  • Severity
    • This data displays a low, medium, and high setting to indicate the severity of a signal. 
    • Most signals are considered a medium severity. 
  • EDAC 
    • This data represents the unique, internal ID used to reference the signal.
  • Timestamp 
    • This data represents the date and time when the signal was triggered. 
  • Rule
    • This data represents the name of the processor that triggered the signal.
  • Name
    • This data represents the name of the processor whose configuration triggered the signal. 
  • Count 
    • This data represents the number of times that the signal was triggered. 
  • Timestamp
    • This data represents the date and time when the signal was triggered. 

Monitor Findings

  • Severity
    • This data displays a low, medium, and high setting to indicate the severity of a signal. 
    • Most findings are considered a low severity. 
  • Causes 
    • This data represents the monitor or custom metric that triggered the finding. 
  • Finding ID
    • This data represents the unique, internal ID used to reference the finding.
  • Timestamp
    • This data represents the date and time when the finding was triggered. 
  • Rule
    • This data represents the name of the processor that triggered the finding.
  • Name
    • This data represents the name of the processor whose configuration triggered the finding. 
  • Count 
    • This data represents the number of times that the finding was triggered. 
  • Timestamp
    • This data represents the date and time when the finding was triggered. 

Kubernetes Events

Note

To view events in the graph, you need to mark Monitor Findings or Processor Alerts, as well as Kubernetes Events

  • The green text displays a brief description of the detected event. 
  • Timestamp 
    • This data represents the date and time when the event was triggered. 
  • Agent Tag
    • This data represents the tag associated with the agent configuration that triggered the event. 
  • Namespace
    • This data represents the name of the namespace where the event was detected. 
  • Controller Logical Name
    • This data represents the name of the controller that observed the event. 
  • Container Name
    • This data represents the name of the Kubernetes container where the event was detected. 
  • Name
    • This data represents the name of the processor whose configuration triggered the event. 
  • Count 
    • This data represents the number of times that the event was triggered. 
  • Timestamp
    • This data represents the date and time when the event was triggered. 

 


Understand the Processor Signals Table

To better understand the data in the Processor Signals table, review the following table: 

Column Description 
Timestamp This column displays the date and time that the signal was detected. 
EDAC

This column displays an internal identification, which is also known as a capture ID.

edac means Edge Delta Anomaly Context.

Metric

This column displays the metric whose configuration triggered a signal.

A metric is configured via a processor.  

Host This column displays the host name where the agent is deployed.
Tag This column displays the tag associated with the agent configuration whose configuration triggered the signal. 
Source

This column displays the source file, directory, or container of the signal.

Actions

When you click on Actions, you will be redirected to the Investigation page to view detailed information for the selected signal.

This page also displays contextual logs and log patterns. 

 


Understand the Monitor Findings Table

To better understand the data in the Monitor Findings table, review the following table: 

Column Description
Timestamp This column displays the date and time that the finding was detected. 
Finding ID This column displays an internal identification.
Cause This column displays the monitor or custom metric that triggered the finding. 
Tag This column displays the tag associated with the agent configuration that triggered the finding. 
Source This column displays the source file, directory, or container of the finding.
Actions

When you click on Actions, you will be redirected to the Patterns page.

  • This page will be filtered to display data for the tag and source that relates to the selected finding. 

Understand the Kubernetes Events Table

To better understand the data in the Kubernetes Events table, review the following table: 

Column Description
Timestamp This column displays the date and time that the event was detected. 
Event ID This column displays an internal identification.
Description This column displays a description of the event. 
Agent Tag This column displays the tag associated with the agent configuration that triggered the finding. 
Source This column displays the source file, directory, or container of the finding.
Actions  

Disable Notifications for a Specific Finding

You can use these instructions to learn how to disable (suppress) notifications for a specific finding.

Specifically, you can use the Finding Status setting to:

  • Disable notifications for a specific finding
  • No longer display entries of future detections on the Insights page

By default, in the Edge Delta App, the button to suppress notifications is hidden. As a result, you must enter a URL with the specified finding_ID to view the setting in the app.

Step 1: Locate a Finding ID

  1. In the Edge Delta App, on the left-side navigation, click Observability, and then click Insights.

  2. Navigate to the Signals, Findings, and Events table, and then click Findings to filter the table.

  3. Locate the desired finding, and then copy the Finding ID.

    • Additionally, note the Timestamp information. 

Step 2: Display and Update the Finding Status Option 

  1. In a separate browser window or tab, copy and paste the following URL:

    • https://app.edgedelta.com/patterns?pattern_offset=168&pattern_merge_level=Medium&pattern_finding_id=FINDINGID&fb=true&lookback=168h
    • In the above URL, you must replace FINDINGID with the finding_ID you copied earlier. 

  2. When you hit Enter, you will be redirected to the Patterns page in the app, with the specified filters already applied, including the finding_id.

    • If you receive an error message about an invalid finding _id, then to troubleshoot:

      • Click Filters, then expand the date range, and then click Apply Filters.

      • If the specified date range does not include when the finding _id was detected, then the finding _id may be considered invalid.

  3. In the top menu with filtering options, locate Finding Status.

  4. To suppress notifications for the specific findings, ensure that the Finding Status is Inactive.

Note

When you navigate away from the Patterns page, the Finding Status setting will disappear. As a result, to update the Finding Status setting, you must enter the same URL with the same finding_ID. In short, you must repeat the steps in these instructions. 

 


Share this document