ChampionIs there somewhere documentation that explains tables in event_insight database.
We would like to understand what are the alert_type and alert_category values used there. This database could be really interesting place to find for example alert statistics per organization or the noisiest collectors etc. Those things are otherwise pretty difficult to find.
Moderatorteppotahkapaa We do not publish our database schemas, though we recognize many do like to explore. The event_insight database supports the Event Insights page found in Skylar One via Events > Event Insights and these metrics are Skylar One organization aware. By default the Event Insights page will display aggregate across all Organizations to which the viewing user has visibility, but may be filtered to a subset (down to a minimum of 1) using the filter icon in the top-right found next to the time frame selector.
That said, I can tell you that alert_type corresponds to the source type of the alert (e.g. Internal, Dynamic App, SNMP Trap, etc...) and alert_category is tagging used as a marker for various outcomes of the alert (e.g. event object was created, alert didn't match to an Skylar One entity, etc...). Again these are utilized to drive informational statistics within the available Event Insights page.
Would you be up for sharing the outcome(s) and/or decision(s) to which you're seeking to address with this information and the "why" behind them? These may be shared questions by other users and aid us in understanding growth needs for our Event Insights feature in the future.
ChampionHi Bryan,
first thanks for showing that filter feature, hadn't noticed that earlier. Though the event insights was fixed to work in our env just few weeks ago, so far we have been without this view at all. Several cases been opened during the years.
But yes, I can open a bit more why I am asking these. I have had several discussions and ideas open to get some more information out from SL1. I am not too worried about events, those are the ones that every user sees, and there are processes to work with those. But I am more worried about what I do not see, the alert messages that are not manifested as events. This insight view now gives me some kind of idea that customerA has been getting lets say 400k alerts during last 24h and even some kind of trend graph for that metric. But to get an answer for "who sends those?" "give me top 10 syslog shouters", "what devices are sending trap alerts", "is the noise coming from one or several devices", etc. So seeing under the hood, the data that is pretty difficult to see. Customer has 10k devices, some of them are sending a constant flood of traps/syslogs that not triggering the system level "too much stuff coming" events. Not an easy task to go and look for each device's Logs page to find which are noisy ones.
Thanks for developing this event_insight database that does a lot of that statistics, as said the UI/calculations has not worked for us until few weeks ago, so we have done lots of that studying from that database which is really a gem for this information. And as said the Event Insights does not answer these kind of questions. It is still "just" a high level, general, view of the big picture, and we need to see behind it.
