Investigate

Investigate#

The Investigate views of the web interface provide access to Scrutinizer’s collaborative investigation and ML-powered forecasting functions (requires Plixer One Enterprise).

This section covers the Collections and Forecasts views and includes detailed guides for their associated functions.

Collections#

Collections are bundles of one or more alarms, events, and/or reports that are compiled and assigned to a specific user for further review and analysis.

Once created, a collection can be annotated and reassigned, allowing multiple users (e.g., NetOps and SecOps) to share workloads and collaborate in investigations.

Collections page#

The Collections page of the Investigate section lists all existing collections and is split into two tabs: Assigned to Me (current user) and Other Collections.

Along with each collection’s name, the table also shows the following details:

  • An indicator that shows the current active collection (green checkmark)

  • User who created the collection

  • Date and time the collection was created

  • Date and time the collection was assigned

  • User to whom the collection is currently assigned

  • Number of alarms, events, and/or reports that have been added to the collection

From the main Collections page, the following actions are available:

  • Viewing collections - Click on a collection’s name to open its summary page.

  • Deleting collections - Select one or more collections, and then click the Delete button.

  • Reassigning collections - Click the username under a collection’s Assigned User column to assign it to a different user.

  • Setting the active collection - Use the radio buttons to set/change the active collection. For additional information, see the subsection on managing collections.

  • Filtering options - Click the filter button to view available filtering options for the list.

  • Options - Click the gear icon to view the available options for the list.

Inspecting collections#

A collection’s summary page lists all alarms, events, and reports added to the collection as links that allow the user to drill down into each item. Annotation can be added to the summary page in threaded view using the Notes card.

In addition, the table also lists the following details for each item:

  • Type of item

  • Additional details, such as the number of individual events, hosts involved, or report type (click + to expand)

  • Date item was added to the collection

  • User who added the item

  • Any notes related to the alarm, event, or report added by users

Hint

When adding notes to a report item in a collection, the text field will be pre-populated with basic information about the report.

To remove items from the collection, select one or more items using their checkboxes, and then click the Delete button.

Collection management#

The collection management menu can be accessed from either of the following:

  • Alarm monitor view

  1. Navigate to either Alarm Monitor > Policies or Alarm Monitor > Hosts tab.

  2. In the Alarm Policy or Host list, hover over the star icon, and then select Manage Collections.

  • Current report view

  1. Navigate to Reports > Run Report, and then create/run a new report.

  2. After the report is run, hover over the star icon, and then select Manage Collections.

Creating a new collection

To create a new collection, click the Add New Collection (+) button, and then enter a unique name for the collection. Select a user to assign the collection to, and then click the + button to save the collection.

Note

The name and user fields must both be filled to create a new collection.

Once the collection has been successfully created, it will be added to the list in the management menu.

Setting the active collection

To set/change the current active collection, open the management menu, and then select the collection from the list. The green checkmark beside the collection name indicates that it is the current active collection. Only one collection can be set as active at a time.

The active collection can also be set from the main collections page.

Adding alarms, events, or reports to a collection

  1. Click the star button to open Manage Collections menu.

  2. Click the button a second time (after it turns into an add (+) button).

This automatically adds the alarm, event, or report to the active collection.

To remove the item from the active collection, click the star button, and then click the button a second time (after it turns into a minus (-) button).

Forecasts#

When paired with the Plixer ML Engine, Scrutinizer is able to use the aggregated flow data of a specified report to generate forecasts of future network activity and/or resource utilization.

Important

Forecasts require an active Plixer One Enterprise license. To learn more about licensing options, contact Plixer Technical Support.

Generating Forecasts#

To generate a forecast, a report must first be run to define the scope of data for extrapolation.

The following data elements in a report will be used to generate the forecast:

  • Hosts

  • Data points

  • Time period covered

  • Filters applied

In the results/output, click the Forecast button, and then enter a name to save the new forecast under. The main Investigate > Forecasts page will automatically be displayed after the forecast is created.

Note

The amount of time it takes to generate a forecast varies, depending on the amount of data that needs to be processed.

Forecast horizon and seasonality customization

By default, Scrutinizer applies a recommended forecast horizon and seasonality based on the volume of data sampled in the report used.

To manually define the horizon and seasonality instead, the filename for the forecast should be formatted as follows:

[forecast_name] ? <horizon_integer> <time_unit> with [no|auto|null] season [<season_integer> <time_unit>]

Natural language is also supported, so a forecast titled:

VPN Usage ? for 3 months with a season of 14 days

will generate a forecast with projected values for 3 months (after the end of the report time range/window) and a seasonality of 14 days.

Viewing Forecasts#

All previously created/saved forecasts can be accessed from the Investigate > Forecasts page. Forecasts that are marked Complete under the Status column are ready to view.

Clicking on a forecast opens a detailed view with two sections:

Forecast timeline

The forecast timeline plots the data aggregated by the base report (solid lines) and shows the extrapolations (broken lines) up to the horizon of the forecast. Hovering over a line will show the upper and lower bounds of potential deviation (highlighted region), as well as additional details for the data element used to aggregate the data (hosts, applications, etc.).

The timeline can be viewed as either a line or step graph.

Inbound events

In addition to the timeline, the forecast details view includes a table listing the following information for each host, application, etc.:

  • Rank (based on the forecast’s calculated data)

  • Date and time when the calculated data is expected to reach the expected maximum value

  • Expected maximum value of the calculated data

  • Upper bound for deviation in the calculated data’s expected maximum

When applicable, the table links directly to the relevant Explore summary page for each element. The base report for the forecast can also be re-run at any time by clicking the View Report button.

Forecast management#

The main Investigate > Forecasts page can be used to access forecasts after they are created and includes the following details for each forecast:

  • ID number assigned to the forecast

  • Forecast name/filename

  • Name of the report used for the forecast (click to re-run)

  • Forecast creator

  • Current status of the forecast (Initializing -> Starting -> Data Retrieval -> Processing -> Strategy Selection -> Learning -> Prediction -> Complete)

  • Timestamp when the forecast became ready to view

In some cases, it may take up to several minutes for the Forecasting task to progress from Initializing to Complete.

Updating forecasts

Clicking the refresh icon reinitializes the forecast using the most up-to-date dataset for the base report’s time window/range settings.

Forecasts based on reports with a custom date and time range (i.e., not Last X) can also be refreshed but will result in the same projections. To obtain an updated forecast, re-run the report with adjusted date and time settings, and then generate a new forecast.

Deleting Forecasts

To delete one or more forecasts, select the forecasts using the checkboxes and then click the Delete button to permanently delete them.

Contents