VMware Aria Operations for Logs lets you manipulate the visual representation of events by using aggregation queries.
Aggregation queries consist of the following two attributes:
An aggregation query requires one function and at least one grouping. Groupings are an important part of the content packs. Functions and groupings impact the way charts are displayed.
Chart displays are limited to the 2,000 most recent results.
By default, the overview chart in the Interactive Analysis page of VMware Aria Operations for Logs displays a count of events over time. If you use the count function in conjunction with the time series grouping, VMware Aria Operations for Logs creates a bar chart.
If you use the count function in conjunction with a single field grouping instead of time series, VMware Aria Operations for Logs creates bar charts with quantities listed from greatest to least.
All functions, except the count function, are mathematical. They require a field, against which you apply the equation. When performing a mathematical function on a field and grouping by time series, VMware Aria Operations for Logs creates a line chart.
By default, the overview chart on the Explore Logs page of VMware Aria Operations for Logs is a count of events over time. If you add one field to the time series grouping, then VMware Aria Operations for Logs creates a stacked chart.
If you use grouping by time series, plus a field, and you use any function except count, VMware Aria Operations for Logs creates stacked line chart. Stacked charts are powerful when attempting to find anomalies for an object.
You must decide which type of stacked chart to use, based on the number of object that the aggregation query might return. Displaying more objects require more resources, that are needed to parse and display information. In addition, the number of colors is fixed, and distinguishing between objects might become challenging, depending on the number of returned objects. In general the following best practices apply
- If the number of returned objects in each bar is less than ten, then you might want to use stacked charts.
- If the number of returned objects in each bar is or could be between ten and twenty, then stacked charts could be good. You must consider the way to visually represent the chart in a content pack.
- If the number of returned objects in each bar is or could be greater than twenty, then stacked charts are discouraged.
If you create a grouping by using more than one field and time series, then VMware Aria Operations for Logs creates a multi-colored chart. The chart consists of two colors that interchange. Each interchange represents a new time range. Multi-colored charts can be hard to interpret so consider the value of such a chart before including it in a content pack.
When you make a grouping by multiple fields, consider using non-time series. Removing time series makes the bar chart easier to understand.
If multiple fields are important in a given time range, then you can create multiple charts for each field individually over the time range. You can then display the charts in the same column of a dashboard group in a content pack.
Several other chart types are available, including pie, bubble, and table charts. To use these charts, a specific query type is required. If the option for these charts are available, then you already have the correct query. If the option for these charts is not available, hover over the chart name you want to use. A pop-up message describes the type of query required for the chart type.
When constructing an aggregation query, the message query should only return results relevant to the aggregation query. This makes analyzing easier and ensures that only results only show relevant fields. To ensure the message query returns the same results as the aggregation query, you must add filters using the exists operator for each field that is used in the aggregation query.
Changing Chart Type
If you want to change the chart type of a widget on a dashboard, click the gear icon on the widget and select Edit Chart Type. If you want to change a widget type, save a new widget and delete the old widget.