Unified Analytics Key Metrics
Unified Analytics leverages several key metrics to give you insight into your incident management workflows.
Unified Analytics uses standard reporting definitions, calculated fields, and dashboards to provide insight into your incident management workflows. Use the definitions below to gain an understanding of the metrics provided by the data in Unified Analytics.
In-Progress Rollout
Your organization may not be using this feature yet as it is rolling out to our BigPanda customers through a staged migration.
If your organization is still using the previous analytics, you can learn more about creating reports in the BigPanda Reporting documentation.
BigPanda University Training
Learn how to maximize your Unified Analytics dashboards with the BPU Unified Analytics Certification. Learn best practices and advanced dashboard management, and test your knowledge to receive the official BigPanda Unified Analytics Credly badge.
In order to start the course, you may need to register for or log in to BPU.
Calculation Tags in Unified Analytics
To calculate analytics in standard dashboards, BigPanda uses specific tag fields. Some of these tags do not appear in other areas of BigPanda.
bp_*tags are normalized versions of common tags such ashostorapplication. You may have these tags configured directly within alert enrichment, or they may have been created specifically for Unified Analytics.
bp_v_*tags are the calculation of two or more tags in BigPanda. These tags exist in Unified Analytics, but not in other areas of BigPanda.The decision about which BigPanda tags will be aggregated or normalized into calculation tags happens during the Unified Analytics onboarding process.
During Unified Analytics onboarding, make sure to clearly document which system tags are being used for analytics calculations within your organization.
Business Reporting Definitions
Unified Analytics uses standard fields and terminology to describe elements and stages of the incident management process.
BigPandaβs specific definition of these terms is based on industry standards and best practices to help you measure and track business and operational metrics.
| Term | Description |
|---|---|
| Business Segment | A business portion or unit that drives unique action or functionality. For example, a high level Business Unit, Team, Group, or Organization. Default fields for business segment include: bp_v_business_segment bp_group bp_assignment_group assignment_group |
| Business Category | A logical type of alert that can be connected to a meaningful function, service, or a recurring topic. This can be a function like infra, networking, application, etc. Or, a more technical alert category such as latency, load, etc. Default fields for business category include: bp_v_business_category bp_category alert_category |
| Config Item | An aggregated field used to capture the relevant configuration item. Default fields for config item includes: application bp_application service bp_service bp_v_config_item Custom fields along with the defaults can be set. |
| Actionable Incident | An incident that contains high quality alerts enriched with both technical and business context. Unified Analytics uses the following criteria to determine if an incident is actionable: - Incident was explicitly defined as actionable using bp_v_actionable tag - Incident was enriched with business context (using the bp_v_business_segment tag) - Incident was acted upon - Incident was not defined as noise (using the bp_v_alert_noise tag) The default field for actionable incidents is bp_v_actionable |
| Incident Outliers | When calculating MTTx metrics, a small number of incidents with very large times can significantly skew the total numbers. This field is used to filter out these incidents and normalize the MTTx measurement. By Default, Incident Outliers are excluded from specific calculations to provide more accurate results. You can use the BP Incident Outlier field to turn this on or off. Incidents are set as an outlier if: - The Assign time is over a day - The Engage time is over a day - The Resolution time is over a week |
| Mean Time to X (MTTx) | Mean Time to X (MTTx) measures the average time it takes to perform an action within BigPanda. MTTx metrics calculate the performance of your Incident Management team. Mean Time to Assign (MTTA) - The average amount of time it takes the IT Ops team to assign the incident. In BigPanda, MTTA is calculated based on the time until the assign action is used. Mean Time to Engage (MTTE) - The average amount of time it takes the IT Ops team to engage in handling the incident. In BigPanda, this is measured by the time it takes to perform an action other than assign. Mean Time to Fix (MTTF) - The average amount of time between engagement and resolution. In BigPanda, MTTF is automatically calculated from the time someone performs an action on the incident other than assign, to the resolution of the incident. Mean Time to Resolve (MTTR) - The average amount of time it took to get back to service. MTTR looks at the repair of alert symptoms as opposed to the complete resolution of the incident. In BigPanda, it is calculated from when the first event was received, to the resolution of the last alert. |
| Mean Time Between Failures (MTBF) | The average amount of time between failures. MTBF measures issue recurrence, or the time between when an incident is resolved and when/how often it reoccurs. |
| MTTR Volatility | Measures the consistency in the time it takes to resolve incidents. MTTR Volatility is measured based on the ratio between average MTTR and the median. |
| Compression Ratio | The percent of alerts that were correlated and deduplicated into incidents. |
| Enrichment Hit Rate | The percent of alerts that were enriched in BigPanda. |
| BigPanda Workload | The number of resolved incidents multiplied by MTTR. Measures the impact of BigPanda on the overall team efficiency. |
| Quarter over Quarter (QoQ) | Quarter over Quarter (QoQ) is the change from the previous quarter to the last quarter in the timeframe. If a timeframe has multiple quarters, the comparison will be from the last quarter in the timeframe to the previous one. If a timeframe has only one quarter, the comparison will be between that quarter and the one before it. |
| Alert Status | The current status of the alert. Possible alert statuses include Ok, Critical, or Warning. When alert status changes are counted, this includes the initial status. Changes to the OK or Resolved status are not counted. |
More BigPanda definitions can be found in the BigPanda Glossary.
To learn more about how to best understand and leverage these terms during reporting, check out the Unified Analytics Terminology guide in the BPU Unified Analytics Course.
Calculated Fields
The following dashboard fields are calculated within the cached data model:
| Term | Dashboard Field | Calculation |
|---|---|---|
| Incident Closure | BP Incident Closure | Based on actions, incidents are categorized as: Shared - The incident was manually shared Auto Shared - The incident was AutoShared Auto Resolved - The incident was resolved externally Missed - The incident resolved itself without intervention No Action - The incident was resolved manually with no other action Resolved in BP - The incident was resolved within BigPanda Still Open - The incident is still open |
| Incident Outliers | BP Incident Closure | Incidents are set as an outlier if: Assign time is over a day Engage time is over a day Resolution time is over a week If an incident isnβt an outlier, the setting is Valid |
| Resolution Bucket | BP Incident Resolution Bucket | Resolution buckets include the following: Still Open Under 5 min 5 - 30 min 30 - 60 min 1 - 4 hours 4 - 24 hours 1 - 7 days Over a week |
Alert Quality
BigPanda categorizes alert quality based on the amount of enrichment or context available.
The following alert quality categories are available:
Low Quality Alerts - Alerts that lack key information or which were identified as irrelevant or misconfigured. Low quality alerts do not meet the logic criteria for Medium or High Quality Alerts.
Medium Quality Alerts - An alert that contains the minimum level of information and technical context to support operator action. These alerts lack some valuable elements such as business context, dependencies, or resolution steps.
Medium Quality Alert Logic
The logic for defining medium quality alerts is CI AND Check.
The following categories and fields define medium alert quality:
| Category | Definition | Default Fields |
|---|---|---|
| CI | Configuration item. | normalized_host bp_application bp_service service bp_v_config_item |
| Check | Symptom of the problem. | normalized_check |
High Quality Alerts - Contains all important data needed for a team to triage and resolve the alert, with focus on business context.
High Quality Alert Logic
High Quality Alerts must meet the same criteria as Medium Quality Alerts. The additional logic for defining high quality alerts is Ownership & Routing AND Business Impact AND (Runbooks OR Dependency OR Enriched).
The following categories and fields define high alert quality:
| Category | Definition | Default Fields |
|---|---|---|
| Ownership & Routing | The relevant part of the business and/or team that should handle it. | bp_assignment_group assignment group bp_group bp_v_business_segment |
| Business Impact | The impact of the alert on the business. Can be priority level, application tiers, etc. | bp_priority priority bp_impact bp_urgency |
| Runbooks | Information about how the alert should be handled. | bp_runbook kb runbook_url |
| Dependency | Understanding of the services or application it impacts. | impacted_service bp_application application bp_service service |
| Enriched | If the alert was enriched or not. | enrichment enriched |
If you need to define a field outside of the defaults for an alert quality category, reach out to BigPanda Support and request a product change.
Next Steps
Learn how to Manage Unified Analytics Reports
Learn the basics of Viewing Unified Analytics
Learn how to navigate the Analytics tab
Updated 23 days ago