Link by Cluster

You can combine the link and cluster capabilities to classify clusters for a specific field. You can identify the entities or entity types that have the most potential issues and see any patterns or anomalies across those entities.

Using clusters, you can analyze a large set of log records and identify potential issues. With the Link by Cluster capability, you can group the log records by clusters and identify potential issues based on your selection of the field for analysis. For example, if you want to group your clusters based on entity, entity type, or log source, then you can use link by cluster.

In the following example, the log records of Host (Linux) entity type are analyzed with link and cluster capabilities by including * | link 'Entity Type', cluster() in the query. The complete query used for analysis is:

* | link 'Entity Type', cluster() | where 'Potential Issue' != null | fields -'Potential Issue' | where Count = 45 and 'Entity Type' = literal("Host(Linux)"))

First, the cluster command is run on the search string, in this case *, which produces a field called Cluster Sample. This field is linked with entity type to group all the clusters by entity type. The where clause specifies to look only for Potential Issues. So now, we have all the potential issues grouped by entity type. As you can see in the bubble chart, there are about 45 potential issues of the Host (Linux) entity type.

The groups table displays the details of the cluster sample corresponding to the anomaly group. Note the log content of the cluster sample available in the table which is possibly the cause for the potential issue: detected unhandled Python exception.

Follow the link Analyze Potential Issues by Entity Type for the sample command to use in your environment. Click More for more sample commands that you can use:

  • Potential Issues by Entity
  • Potential Issue Outliers by Entity
  • Potential Issue Outliers by Entity Type
  • Potential Issues by Entity, Severity

In the Potential Issue Outliers sample, the query is similar to the example discussed but has another where clause added (where 'Potential Issue' != null and count = 1) to identify all the errors that have occurred just once over the time period. However, note that the cluster samples still show the variables but the variables shown in link cannot be drilled down into.

For more information about the link visualization and for the steps to access link from the Visualize panel, see Link Visualization.

Generate Alerts for Cluster Utilities

Using clusters, you can determine the potential issues and outliers in your log records. You can create alert rules that notify you upon detecting potential issues or outliers with the link by clusters feature.

  • Alert for Potential Issues: The query to detect potential issues by using the link by clusters command is as follows:

    * | link cluster() | where 'Potential Issue' != null
  • Alert for Outliers: An outlier in clusters is the one cluster that differs from the other clusters, and occurs in a rare scenario. So, a typical query to detect an outlier by using the link by clusters command is as follows:

    * | link cluster() | where Count = 1

    It is recommended that you define a longer interval to detect the outlier while creating the alert rule, for example, Every Day.

To the above query, you can add more filters / specifications to identify specific log sources, and to perform additional operations on the log records.

To create the alert rule, click the down arrow next to Save, and select Save As.

The dialog box to create the alert rule opens. In the alert rule dialog box, under condition type, select Fixed Threshold. Also, under Results, to get a notification for every detection of a potential issue or outlier, select the operator for greater than or equal to, warning threshold 0, and critical threshold 1.

You can save a maximum of 50 scheduled alerts.

For the remaining steps to create an alert rule, see Create An Alert Rule.