Unified Analytics Key Metrics
Unified Analytics uses standard reporting definitions, calculated fields, and dashboards to provide insight into your incident management workflows. Use the definitions below to gain an understanding of the metrics provided by the data in Unified Analytics.
Calculation tags in Unified Analytics
To calculate analytics in standard dashboards, BigPanda uses specific tag fields. Some of these tags do not appear in other areas of BigPanda.
bp_* tags are normalized versions of common tags such as host or application. You may have these tags configured directly within alert enrichment, or they may have been created specifically for Unified Analytics.
bp_v_* tags are the calculation of two or more tags in BigPanda. These tags exist in Unified Analytics, but not in other areas of BigPanda.
The decision about which BigPanda tags will be aggregated or normalized into calculation tags happens during the Unified Analytics onboarding process.
During Unified Analytics onboarding, make sure to clearly document which system tags are being used for analytics calculations within your organization.
BigPanda University training
Learn how to maximize your Unified Analytics dashboards with the BPU Unified Analytics Course. Learn best practices and advanced dashboard management, and test your knowledge to receive the official BigPanda Unified Analytics Credly badge.
To start the course, you may need to register for or log in to BPU.
Business Reporting Definitions
Unified Analytics uses standard fields and terminology to describe elements and stages of the incident management process.
BigPanda’s specific definition of these terms is based on industry standards and best practices to help you measure and track business and operational metrics.
For more information about the data tables available for reporting, see the Unified Analytics Reporting Data Tables documentation.
Term | Description |
|---|---|
Business Segment | A business portion or unit that drives unique action or functionality. For example, a high level Business Unit, Team, Group, or Organization. Default fields for business segment include: bp_v_business_segment bp_group bp_assignment_group assignment_group |
Business Category | A logical type of alert that can be connected to a meaningful function, service, or a recurring topic. This can be a function like infra, networking, application, etc. Or, a more technical alert category such as latency, load, etc. Default fields for business category include: bp_v_business_category bp_category alert_category |
Config Item | An aggregated field used to capture the relevant configuration item. Default fields for config item includes: application bp_application service bp_service bp_v_config_item Custom fields along with the defaults can be set. |
Actionable Incident | An incident that contains high-quality alerts enriched with both technical and business context. Unified Analytics uses the following criteria to determine if an incident is actionable: - Incident was explicitly defined as actionable using bp_v_actionable tag - Incident was enriched with business context (using the bp_v_business_segment tag) - Incident was acted upon - Incident was not defined as noise (using the bp_v_alert_noise tag) The default field for actionable incidents is bp_v_actionable |
Incident Outliers | When calculating MTTx metrics, a small number of incidents with very large times can significantly skew the total numbers. This field is used to filter out these incidents and normalize the MTTx measurement. By Default, Incident Outliers are excluded from specific calculations to provide more accurate results. You can use the BP Incident Outlier field to turn this on or off. Incidents are set as an outlier if: - The Assign time is over a day - The Engage time is over a day - The Resolution time is over a week |
Mean Time to X (MTTx) | Mean Time to X (MTTx) measures the average time it takes to perform an action within BigPanda. MTTx metrics calculate the performance of your Incident Management team. Mean Time to Assign (MTTA) - The average amount of time it takes the IT Ops team to assign the incident. In BigPanda, MTTA is calculated based on the time until the assign action is used. The calculation for MTTA is (First assigned time - Start time)/60. First assigned time comes from the activity_type assigned, and the time is from the created_time field. Mean Time to Engage (MTTE) - The average amount of time it takes the IT Ops team to engage in handling the incident. In BigPanda, this is measured by the time it takes to perform an action other than assign. Activities can include the activity_type comment, snooze, or share. The calculation for MTTE is (First activity time - Start time)/60. Mean Time to Fix (MTTF) - The average amount of time between engagement and resolution. In BigPanda, MTTF is automatically calculated from the time someone performs an action on the incident, to the resolution of the incident. The calculation for MTTF is MTTR - MTTE - MTTA (when the action is earlier than the resolution time). Mean Time to Resolve (MTTR) - The average amount of time it took to get back to service. MTTR looks at the repair of alert symptoms as opposed to the complete resolution of the incident. In BigPanda, it is calculated from when the first event was received, to the resolution of the last alert. The calculation for MTTR is (End time - Start time)/60. End time is the end_time from Raw Incidents and Start time is the start_time from Raw Incidents. |
Mean Time Between Failures (MTBF) | The average amount of time between failures. MTBF measures issue recurrence, or the time between when an incident is resolved and when/how often it reoccurs. |
MTTR Volatility | Measures the consistency in the time it takes to resolve incidents. MTTR Volatility is measured based on the ratio between average MTTR and the median. |
Compression Ratio | The percent of alerts that were correlated and deduplicated into incidents. |
Enrichment Hit Rate | The percent of alerts that were enriched in BigPanda. |
BigPanda Workload | The number of resolved incidents multiplied by MTTR. Measures the impact of BigPanda on the overall team efficiency. |
Quarter over Quarter (QoQ) | Quarter over Quarter (QoQ) is the change from the previous quarter to the last quarter in the timeframe. If a timeframe has multiple quarters, the comparison will be from the last quarter in the timeframe to the previous one. If a timeframe has only one quarter, the comparison will be between that quarter and the one before it. |
Alert Status | The current status of the alert. Possible alert statuses include Ok, Critical, or Warning. When alert status changes are counted, this includes the initial status. Changes to the OK or Resolved status are not counted. |
More BigPanda definitions can be found in the BigPanda Glossary.
To learn more about how to best understand and leverage these terms during reporting, check out the Unified Analytics Terminology guide in the BPU Unified Analytics Course.
Calculated Fields
The following dashboard fields are calculated within the cached data model:
Term | Dashboard Field | Calculation |
|---|---|---|
Incident Closure | BP Incident Closure | Based on actions, incidents are categorized as: Shared - The incident was manually shared Auto Shared - The incident was AutoShared Auto Resolved - The incident was resolved externally Missed - The incident resolved itself without intervention, no action was taken on the incident No Action - The incident was resolved manually in BigPanda with no other incident action taken Resolved in BP - Action was taken on the incident, and the incident was resolved within BigPanda Still Open - The incident is still open |
Incident Outliers | BP Incident Closure | Incidents are set as an outlier if: Assign time is over a day Engage time is over a day Resolution time is over a week If an incident isn’t an outlier, the setting is Valid |
Resolution Bucket | BP Incident Resolution Bucket | Resolution buckets include the following: Still Open Under 5 min 5 - 30 min 30 - 60 min 1 - 4 hours 4 - 24 hours 1 - 7 days Over a week |
Alert Quality
BigPanda categorizes alert quality based on the amount of enrichment or context available. The following alert quality categories are available:
Sending high quality alerts to BigPanda decreases MTTR by helping your team to easily understand the action needed to handle incidents.
BigPanda separates alerts by the following quality levels:
Low Quality Alerts - Lacks key information or was identified as irrelevant or misconfigured. Low quality alerts do not meet the logic criteria for Medium or High Quality Alerts.
Medium Quality Alerts - Contains the minimal technical context to support action on the alert. These alerts have just enough information to be valuable. Medium quality alerts must contain the following categories: (Host or CI) AND Check.
Medium quality alert logic
The logic for defining medium quality alerts is CI AND Check.
Category
Definition
Default Fields
CI
Configuration Item
normalized_host
bp_application
bp_service
service
bp_v_config_item
Check
Symptom of the problem
normalized_check
High Quality Alerts - Contains important data needed to triage and resolve the alert. High Quality alerts must contain the following categories: (Host or CI) AND Check AND Ownership & Routing AND Priority AND (Runbooks or Dependency or Enrichment).
High quality alert logic
High Quality Alerts must meet the same criteria as Medium Quality Alerts. The additional logic for defining high quality alerts is Ownership & Routing AND Business Impact AND (Runbooks OR Dependency OR Enriched).
The following categories and fields define high alert quality:
Category | Definition | Default Fields |
|---|---|---|
Ownership & Routing | The relevant part of the business and/or team that should handle it. | bp_assignment_group assignment group bp_group bp_v_business_segment |
Business Impact | The impact of the alert on the business. Can be priority level, application tiers, etc. | bp_priority priority bp_impact bp_urgency |
Runbooks | Information about how the alert should be handled. | bp_runbook kb runbook_url |
Dependency | Understanding of the services or application it impacts. | impacted_service bp_application application bp_service service |
Enriched | If the alert was enriched or not. | enrichment enriched |
Defining fields
If you need to define a field outside of the defaults for an alert quality category, reach out to BigPanda Support and request a product change.
Next Steps
Learn how to Manage Unified Analytics Reports
Learn the basics of Viewing Unified Analytics
Learn how to navigate the Analytics tab
Dive into potential reporting fields in Unified Analytics Reporting Tables. If your organization uses the Standard Data Model, you can find these tables in the Standard Data Model documentation.