Patterns

George Alpizar
George Alpizar
  • Updated

Overview

You can use this document to learn about the data displayed in the Patterns page of the Edge Delta App. 

At a high level, the Patterns page displays detected patterns with negative sentiment. 

  • A negative pattern is based on the negative terms that populate the Sentiment Patterns section of the Global Settings page. 

Additionally, this page is populated based on the configurations of your processors, specifically the clustering processor. 

 

Note

Most users, especially new users, will have default processors already configured for their account; however, if your account does not have any existing processors, then the Patterns page will be empty.


Understand Filter Options

Review the following filter options that you can use to update the Negative Patterns graph and the All Patterns graph:

Filter Option Description
Group By

This option allows you to filter data based on data sources. 

The listed data sources are based on the selected tag and source type. 

  • To select a tag and source type, on the top, right corner, click Filters. Select a tag, and then select an input type. The Group By menu will refresh with data sources associated with the tag. 
Include

This option allows you to filter for specific terms:

  • If a specified term is not detected in a pattern, then that pattern will not be displayed in the app. 
  • If a specified term is detected in a pattern, then that pattern will be displayed in the app.

Note

If you specify both an Include term and an Exclude term, then the Exclude term will override potential filter conflicts. 

Exclude

This option allows you to filter for specific terms:

  • If a specified term is detected in a pattern, then that pattern will not be displayed in the app. 
  • If a specified term is not detected in a pattern, then that pattern will be displayed in the app. 

Note

If you specify both an Include term and an Exclude term, then the Exclude term will override potential filter conflicts. 

Pattern Merge Level

This option allows you to merge similar patterns together. As a result, if you select a pattern merge level, then the list of unique patterns will be reduced. 

  • High indicates a higher probability of merging patterns that are similar. 
  • Low indicates a lower probability of merging patterns that are similar. As a result, with low, more unique patterns will display.
  • None will not merge any similar patterns.  
Previous Period (Offset) This column will display a percentage to indicate if the pattern's detection increased or decreased in the previous lookback period. 
Last Week (Offset)

This option will add a new column in the All Patterns graph, named Delta Week

This column will display a percentage to indicate if the pattern's detection increased or decreased in the previous week. 

Yesterday (Offset)

This option will add a new column in the All Patterns graph, named Delta Day

This column will display a percentage to indicate if the pattern's detection increased or decreased in the previous day. 

Volatile (View Options)

This option will display newly detected patterns or patterns with a high anomaly score.

Unique (View Options)

This option will display one graph entry for each detected pattern; the graph will not display multiple entries for the same pattern.

Specifically the label for the y-axis of the graphs will update to display Unique Counts.

Extra Filtering Options

On the right-side of the graphs, on the color-coded legend, you can click on a particular entry to show (or hide) that entry in the graph.

  • In the legend, an entry that is gray indicates that the entry is not displayed in the graph. You can click on entry to restore the color and to display the entry in the graph. 

Understand Graph Types

Graph Type Description
Negative Patterns

This graph displays patterns that contain a negative term.  

A negative pattern is based on the negative terms that populate the Sentiment Patterns section of the Global Settings page. 

If any negative term is detected in a pattern, then that pattern will be considered a negative pattern; however, if a neutral term is also contained in the pattern, then the pattern will not be considered negative. 

  • In other words, if a pattern contains both a negative and a neutral term, then the neutral term will override the negative term. 
  • To learn more about neutral and negative terms, see Understand and Manage Sentiment Patterns.

Note

There are 2 ways to view additional detailed information about the graph entries.

  • You can hover over a specific graph entry to view a pop-up window with the following information: 
    • Name
    • Count
    • Timestamp
  • You can click on a specific graph entry to be redirected to the Cluster Samples page to view cluster-related information for the selected graph entry, including a breakdown of the detected pattern.
All Patterns

This graph displays both negative and neutral patterns. 

Patterns are negative or neutral based on the terms detected in the pattern.

A list of negative and neutral terms are located in the Sentiment Patterns section of the Global Settings page. 

 

Note

There are 2 ways to view additional detailed information about the graph entries.

  • You can hover over a specific graph entry to view a pop-up window with the following information: 
    • Name
    • Count
    • Timestamp
  • You can click on a specific graph entry to be redirected to the Cluster Samples page to view cluster-related information for the selected graph entry, including a breakdown of the detected pattern.

 

Note

To view a list of neutral patterns, you can:

  • Access the Overview page and then review the information listed in the Top Neutral Patterns table. 
  • Access the Patterns page and then update the filter settings to remove any negative patterns. 
    • On the left-side navigation, click Data Pipeline, and then click Global Settings
    • Click the arrow next to Sentiment Patterns to expand, and then copy the text under Negative Patterns
    • Return to the Patterns page, and then in the top, under Exclude, paste the copied text, and then press Enter on your keyboard. 

Understand Top Patterns Table

To better understand the data that populates the Top Patterns table, review the following table: 

Column Description
Pattern

This column displays the name of the detected pattern. 

Pattern names are based on the agent's configuration, specifically clustering processors. 

Count

This column displays the number of detected instances of the pattern within the configured lookback period. 

% Of Total

This column displays the percentage of the pattern that was detected in relation to all other detected patterns. 

For example, if this column displays 18%, then the corresponding pattern makes up 18% of all detected patterns. 

Delta P.P. (Delta Day, Delta Week)

This column displays a percentage to indicate if the pattern's detection increased or decreased in the previous lookback period.

In other words, this column's percentage is a comparison of the pattern's detection from the previous lookback period and current lookback period. 

For example, if you set a lookback period of 24 hours, then the Patterns page will display patterns from the previous 24 hours. As a result, this column will display a percentage of the pattern's detection from 48 hours ago (the previous lookback period) and 24 hours (the current lookback period). 

Sentiment

This column displays the sentiment score for the corresponding pattern. 

A sentiment score can range from a negative number to 0.

In this column:

  • A negative number is represented by a thumbs down.
  • A neutral number is represented by a double arrow <->. 

To learn more about sentiment patterns, see Understand and Manage Sentiment Patterns.

 

Note

You can click on a specific table entry to be redirected to the Cluster Samples page to view cluster-related information for the selected graph entry, including a breakdown of the detected pattern.


Understand and Manage Sentiment Patterns

In the Global Settings page, the Sentiment Patterns section lists negative and neutral terms. 

These terms are used to determine if a detected pattern is a neutral pattern or a negative pattern.

If a pattern contains a negative term, then a negative score will be assigned to the pattern. If a pattern contains multiple negative terms, then a lower negative score will be assigned to the pattern. 

A neutral term will override a negative term. In other words, if a neutral term is detected in the pattern, then a score of 0 will be assigned, regardless if the pattern contains several negative terms. 

To view or update sentiment patterns:

  1. In the Edge Delta App, on the left-side navigation, click Data Pipeline, and then click Global Settings
  2. Navigate to Sentiment Patterns and then expand the menu. 
  3. Review the list of terms.
    • You can add or remove terms in the field.
    • After you make a change, click Update to save.

Note

Sentiment scores are not displayed in the Edge Delta App; however, related values are sent to  some streaming destination, represented as sentiment_score.


Create a Pattern Alert Monitor

You can create a pattern alert monitor to analyze a pattern's behavior. 

If an anomaly is detected in the pattern, then the monitor will create a finding. 

Note

Findings are displayed in the Insights screen. 

  • To learn more about the Insights page, see Insights.
  1. In the Edge Delta App, on the left-side navigation, click Observability, and then click Patterns.
  2. On the top, right corner, click Filters
  3. Select an agent tag and a corresponding source type.
    • As an optional step, you can also select a corresponding source. 
    • Click Apply Filters
  4. Under Create Alert, click Pattern Alert.
  5. Complete the missing fields:
    Field Description
    Name Enter a descriptive name for the monitor. 
    Type

    This field will be pre-populated with the monitor type that you previously selected. 

    Filters

    This field will be pre-populated with the tag and source type that you previously selected. 

    Group By

    Select a data source to monitor. 

    The listed data sources are based on the selected tag and source type. 

    (Advanced Settings) Merge Level

    Select an option to merge similar patterns together. As a result, based on the configuration you select, the list of unique patterns will be reduced. 

    • High indicates a higher probability of merging patterns that are similar. 
    • Low indicates a lower probability of merging patterns that are similar. As a result, with low, more unique patterns will display.
    • None will not merge any similar patterns.  
    (Advanced Settings) Minimum Proportion

    Enter the minimum ratio between detected negative patterns and all patterns needed to trigger an alert. 

    If the number you enter is less than the ratio of detected negative patterns versus all patterns, then this monitor will not alert. 

    A high number indicates that fewer alerts will be generated. 

    (Advanced Settings) Minimum Count

    Enter the minimum amount of detected negative patterns needed to trigger an alert.

    If the number you enter is less than the number of detected negative patterns, then this monitor will not alert. 

    A high number indicates that fewer alerts will be generated. 

    (Advanced Settings) Delta Threshold

    This option represents the difference between the number of negative patterns detected in the current lookback period versus the previous lookback periods. 

    Enter the number of negative patterns detected in the current lookback period versus of previous lookback periods needed to trigger an alert. 

    If the number you enter is less than the number of negative patterns detected in previous periods (offset, lookback period), then this monitor will not alert.  

    A high number indicates that fewer alerts will be generated. 

    (Advanced Settings) Anomaly Threshold

    Enter the minimum anomaly score of a negative pattern needed to trigger an alert.

    If the number you enter is less than the anomaly score of a negative pattern, then this monitor will not alert. 

    A high number indicates that fewer alerts will be generated. 

    Email Recipients

    Enter an email address to receive notifications from this monitor. 

    Trigger Endpoints

    Select an existing trigger integration or output to receive notifications from this monitor. 

    To learn how to create a trigger output or integration, see Review Parameters for Trigger Outputs and Integrations.

    Suppression Window

    After you receive an initial notification, you can use this option to pause notifications for similar alerts. 

    Timezone

    Select a timezone that will be used as part of the timestamp in the notification. 

    Enabled

    Mark Yes to receive notifications from this monitor. 

    Mark No to no longer receive notifications from this monitor.

  6. Click Save
    • The newly created monitor will display in the Configuration section of the Monitors page. 
  1.  

Note

You can update existing monitors in the Monitors page. 


Create a Skyline Alert Monitor

You can create a skyline alert monitor to analyze a pattern's behavior. 

If an anomaly is detected in the pattern, then the monitor will create a finding. 

Note

Findings are displayed in the Insights screen. 

  • To learn more about the Insights page, see Insights.
  1. In the Edge Delta App, on the left-side navigation, click Observability, and then click Patterns.
  2. On the top, right corner, click Filters
  3. Select an agent tag and a corresponding source type.
    • As an optional step, you can also select a corresponding source. 
    • Click Apply Filters
  4. Under Create Alert, click Skyline Pattern.
  5. Complete the missing fields:
    Field Description
    Name Enter a descriptive name for the monitor. 
    Type

    This field will be pre-populated with the monitor type that you previously selected. 

    Filters

    This field will be pre-populated with the tag and source type that you previously selected. 

    Group By

    Select a data source to monitor. 

    The listed data sources are based on the selected tag and source type. 

    (Advanced Settings) Unique

    Mark this option to only display one graph entry for each detected pattern; the graph will not display multiple entries for the same pattern.

    Specifically the label for the y-axis of the graphs will update to display Unique Counts.

    (Advanced Settings) Minimum Proportion

    Enter the minimum ratio between detected negative patterns and all patterns needed to trigger an alert. 

    A high number indicates that fewer alerts will be generated. 

    (Advanced Settings) Sum Anomaly Multiplier

    Enter a baseline number of pattern counts.

    This number will be multiplied to create the dynamic skyline threshold. 

    A high number indicates that fewer alerts will be generated. 

    Email Recipients

    Enter an email address to receive notifications from this monitor. 

    Trigger Endpoints

    Select an existing trigger integration or output to receive notifications from this monitor. 

    To learn how to create a trigger output or integration, see Review Parameters for Trigger Outputs and Integrations.

    Suppression Window

    After you receive an initial notification, you can use this option to pause notifications for similar alerts. 

    Timezone

    Select a timezone that will be used as part of the timestamp in the notification. 

    Enabled

    Mark Yes to receive notifications from this monitor. 

    Mark No to no longer receive notifications from this monitor.

  6. Click Save
    • The newly created monitor will display in the Configuration section of the Monitors page. 

Note

You can update existing monitors in the Monitors page. 


Suppress Notifications for Specific Findings

You can use these instructions to learn how to suppress notifications for a specific finding. When you suppress a finding, the finding will no longer be displayed in the Insights page. Additionally, any future detection of the finding will not be displayed.

By default, in the Edge Delta App, the button to suppress notifications is hidden. As a result, you must enter a URL with the specified finding ID to view the button in the app.

  1. In the Edge Delta App, on the left-side navigation, click Observability, and then click Insights.

    • This step only applies if you want to suppress findings generated from a pattern alert monitor. 
  2. Navigate to the Signals, Findings, and Events table, and then click Findings to filter the table.

    • This step only applies if you want to suppress findings generated from a pattern alert monitor. 
  3. Locate the desired finding, and then copy the Finding ID.

    • This step only applies if you want to suppress findings generated from a pattern alert monitor. 
  4. In a separate browser window or tab, enter the following URL:

    • To suppress a finding generated from a pattern alert monitor, enter the following URL. You must replace FINDINGID with the finding ID you copied earlier. 
      • https://app.edgedelta.com/patterns?lookback=168h&pattern_offset=&pattern_merge_level=None&pattern_finding_id=FINDINGIDd&fb=true
    • To suppress a finding generated from a skyline alert monitor, enter the following URL:
      • https://app.edgedelta.com/patterns?lookback=168h&pattern_offset=&pattern_merge_level=None&fb=true 
  5. When you hit Enter, you will be redirected to the Patterns page with the specified filters already applied, including the finding_id.

    • If you receive an error message about an invalid finding ID, then to troubleshoot, click Filters, expand the date range, and then click Apply Filters.

      • If the date range does not include when the finding Id was generated, then the finding ID may be considered invalid.

  6. In the top menu with filtering options, locate the Finding Status option.

  7. To suppress notifications for the specific findings, ensure that the Finding Status is Inactive.


Related Documentation

Monitors, specifically the pattern-check and pattern-skyline monitors, analyze the behavior of the pattern. If an anomaly is detected with the pattern data, then the monitor will create a finding.

  • To learn more about anomalies, see Anomalies.
  • To learn more about findings, see Insights.
  • To learn more about monitors, see Monitors.

Share this document