- The Devo data analytics platform
- Getting started
- Domain administration
-
Sending data to Devo
-
The Devo In-House Relay
- Installing the Devo Relay
- Configuring the In-House Relay
- Relay migration
- Sending SSL/TLS encrypted events to the Devo relay
- Relay troubleshooting tips (v1.4.2)
-
Event sources
- Unix-like machines
- Windows
- MacOS X
- Cloud services
- Commercial products
- Custom apps
-
Universal Agent
- Deployment scenarios
- Pre-integrated query packs
- Data querying in Devo
-
Universal Agent Manager deployment
- Generic deployment guidelines
- Universal Agent Manager - CentOS 7 Deployment
- Universal Agent Manager - CentOS 8 Deployment
- Universal Agent Manager - Debian 9 Deployment
- Universal Agent Manager - Debian 10 Deployment
- Universal Agent Manager - RHEL 7 Deployment
- Universal Agent Manager - RHEL 8 Deployment
- Universal Agent Manager - Ubuntu 18 Deployment
- Universal Agent deployment
- Universal Agent Manager user manual
- Operational guidelines
- Performance considerations
- Other data collection methods
- Uploading log files
- Devo software
-
The Devo In-House Relay
-
Parsers and collectors
- About Devo tags
- Special Devo tags and data tables
-
List of Devo parsers
- Business & Consumer
- Cloud technologies
- Databases
- Host and Operating Systems
-
Network and application security
- auth.cisco
- auth.secureauth
- auth.securenvoy
- av.mcafee
- av.sophos
- box.iptables
- edr.carbonblack
- edr.cylance
- edr.fireeye.alerts
- edr.minervalabs.events
- edr.paloalto
- endpoint.symantec
- firewall.checkpoint
- firewall.cisco firepower and vpn.cisco
- firewall.fortinet
- firewall.huawei
- firewall.juniper
- firewall.paloalto
- firewall.pfsense
- firewall.sonicwall
- firewall.sophos
- firewall.sophos.xgfirewall
- firewall.stonegate
- firewall.windows
- ids.extrahop
- mail.proofpoint
- nac.aruba
- network.meraki
- network.versa
- network.vmware
- proxy.bluecoat
- proxy.forcepoint
- proxy.squid
- proxy.zscaler
- uba.varonis
- vuln.beyondtrust
- vpn.pulsesecure.sa
- vpn.zscaler
- Network connectivity
- Web servers
- Technologies supported in CEF syslog format
- Collectors
-
Searching data
- Accessing data tables
-
Building a query
- Data types in Devo
- Build a query in the search window
- Build a query using LINQ
- Working with JSON objects in data tables
- Subqueries
-
Operations reference
-
Aggregation operations
- Average (avg)
- Count (count)
- First (first)
- First not null (nnfirst)
- HyperLogLog++ (hllpp)
- HyperLogLog++ Count Estimation (hllppcount)
- Last (last)
- Last not null (nnlast)
- Maximum (max)
- Median / 2nd quartile / Percentile 50 (median)
- Minimum (min)
- Non-null average (nnavg)
- Non-null standard deviation (biased) (nnstddev)
- Non-null standard deviation (unbiased) (nnustddev)
- Non-null variance (biased) (nnvar)
- Non-null variance (unbiased) (nnuvar)
- Percentile 10 (percentile10)
- Percentile 25 / 1st quartile (percentile25)
- Percentile 5 (percentile5)
- Percentile 75 / 3rd quartile (percentile75)
- Percentile 90 (percentile90)
- Percentile 95 (percentile95)
- Standard deviation (biased) (stddev)
- Standard deviation (unbiased) (ustddev)
- Sum (sum)
- Sum Square (sum2)
- Variance (biased) (var)
- Variance (unbiased) (uvar)
-
Arithmetic group
- Absolute value (abs)
- Addition, sum, plus / Concatenation (add, +)
- Ceiling (ceil)
- Cube root (cbrt)
- Division (div, \)
- Division remainder (rem, %)
- Floor (floor)
- Modulo (mod, %%)
- Multiplication, product (mul, *)
- Power (pow)
- Real division (rdiv, /)
- Rounding (round)
- Sign (signum)
- Square root (sqrt)
- Subtraction, minus / Additive inverse (sub, -)
-
Conversion group
- Duration (duration)
- Format date (formatdate)
- From base16, b16, hex (from16)
- From base64, b64 (from64)
- From UTF8 (fromutf8)
- From Z85, base85 (fromz85)
- Human size (humanSize)
- Make byte array (mkboxar)
- Parse date (parsedate)
- Regular expression, regexp (re)
- Template (template)
- Timestamp (timestamp)
- To base16, b16, hex (to16)
- To base64, b64, hex (to64)
- To BigInt (bigint)
- To boolean (bool)
- To Float (float)
- To image (image)
- To Int (int)
- To IPv4 (ip4)
- To IPv4 net (net4)
- To IPv6 (ip6)
- To IPv6 compatible (compatible)
- To IPv6 mapped (mapped)
- To IPv6 net (net6)
- To IPv6 translated (translated)
- To MAC address (mac)
- To string (str)
- To string (stringify)
- To UTF8 (toutf8)
- To Z85, base85 (toz85)
- Cryptography group
- Date group
- Flow group
- General group
-
Geolocation group
- Coordinates distance (distance)
- Geocoord (geocoord)
- Geographic coordinate system (coordsystem)
- Geohash (geohash)
- Geohash string (geohashstr)
- Geolocated Accuracy Radius with MaxMind GeoIP2 (mm2accuracyradius)
- Geolocated ASN (mmasn)
- Geolocated ASN with MaxMind GeoIP2 (mm2asn)
- Geolocated AS Organization Name with MaxMind GeoIP2 (mm2asorg)
- Geolocated AS owner (mmasowner)
- Geolocated City (mmcity)
- Geolocated City with MaxMind GeoIP2 (mm2city)
- Geolocated Connection Speed (mmspeed)
- Geolocated connection type with MaxMind GeoIP2 (mm2con)
- Geolocated Coordinates (mmcoordinates)
- Geolocated coordinates with MaxMind GeoIP2 (mm2coordinates)
- Geolocated Country (mmcountry)
- Geolocated Country with MaxMind GeoIP2 (mm2country)
- Geolocated ISP (mmisp)
- Geolocated ISP name with MaxMind GeoIP2 (mm2isp)
- Geolocated Latitude (mmlatitude)
- Geolocated Latitude with MaxMind GeoIP2 (mm2latitude)
- Geolocated Level 1 Subdivision with MaxMind GeoIP2 (mm2subdivision1)
- Geolocated Level 2 Subdivision with MaxMind GeoIP2 (mm2subdivision2)
- Geolocated Longitude (mmlongitude)
- Geolocated Longitude with MaxMind GeoIP2 (mm2longitude)
- Geolocated Organization (mmorg)
- Geolocated organization name with MaxMind GeoIP2 (mm2org)
- Geolocated Postal Code (mmpostalcode)
- Geolocated Postal Code with MaxMind GeoIP2 (mm2postalcode)
- Geolocated Region (mmregion)
- Geolocated Region Name (mmregionname)
- ISO-3166-1 Continent Alpha-2 Code (continentalpha2)
- ISO-3166-1 Continent Name (continentname)
- ISO-3166-1 Country Alpha-2 Code (countryalpha2)
- ISO-3166-1 Country Alpha-2 Continent (countrycontinent)
- ISO-3166-1 Country Alpha-3 Code (countryalpha3)
- ISO-3166-1 Country Latitude (countrylatitude)
- ISO-3166-1 Country Longitude (countrylongitude)
- ISO-3166-1 Country Name (countryname)
- Latitude (latitude)
- Latitude and longitude coordinates (latlon)
- Longitude (longitude)
- Parse geocoord format (parsegeo)
- Represent geocoord format (reprgeo)
- Round coordinates (gridlatlon)
- JSON group
- Logic group
-
Mathematical group
- Arc cosine (acos)
- Arc sine (asin)
- Arc tangent (atan)
- Bitwise AND (band, &)
- Bitwise left shift (lshift, <<)
- Bitwise NOT (bnot, ~)
- Bitwise OR (bor, |)
- Bitwise right shift (rshift, >>)
- Bitwise unsigned right shift (urshift, >>>)
- Bitwise XOR (bxor, ^)
- Cosine (cos)
- e (mathematical constant) (e)
- Exponential: base e (exp)
- Hyperbolic cosine (cosh)
- Hyperbolic sine (sinh)
- Hyperbolic tangent (tanh)
- Logarithm: base 2 (log2)
- Logarithm: base 10 (log10)
- Logarithm: natural / arbitrary base (log)
- Pi (mathematical constant) (pi)
- Sine (sin)
- Tangent (tan)
- Meta Analysis group
- Name group
-
Network group
- HTTP Status Description (httpstatusdescription)
- HTTP Status Type (httpstatustype)
- IP Protocol (ipprotocol)
- IP Reputation Score (reputationscore)
- IP Reputation Tags (reputation)
- IPv4 legal use (purpose)
- IPv6 host number (host)
- IPv6 routing number (routing)
- Is IPv4 (ipip4)
- Is Private IPv4 (isprivate)
- Is Public IPv4 (ispublic)
- Squid Black Lists Flags (sbl)
- Order group
-
Packet group
- Ethernet destination MAC address (etherdst)
- Ethernet payload (etherpayload)
- Ethernet source MAC address (ethersrc)
- Ethernet status (etherstatus)
- Ethernet tag (ethertag)
- EtherType (ethertype)
- Has Ethernet frame (hasether)
- Has IPv4 datagram (hasip4)
- Has TCP segment (hastcp)
- Has UDP datagram (hasudp)
- IPv4 destination address (ip4dst)
- IPv4 differentiated services (ip4ds)
- IPv4 explicit congestion notification (ip4ecn)
- IPv4 flags (ip4flags)
- IPv4 fragment offset (ip4fragment)
- IPv4 header checksum (ip4cs)
- IPv4 header length (ip4hl)
- IPv4 identification (ip4ident)
- IPv4 payload (ip4payload)
- IPv4 protocol (ip4proto)
- IPv4 source address (ip4src)
- IPv4 status (ip4status)
- IPv4 time to live (ip4ttl)
- IPv4 total length (ip4len)
- IPv4 type of service (ip4tos)
- TCP ACK (tcpack)
- TCP checksum (tcpcs)
- TCP destination port (tcpdst)
- TCP flags (tcpflags)
- TCP header length (tcphl)
- TCP payload (tcppayload)
- TCP sequence number (tcpseq)
- TCP source port (tcpsrc)
- TCP status (tcpstatus)
- TCP urgent pointer (tcpurg)
- TCP window size (tcpwin)
- UDP checksum (udpcs)
- UDP destination port (udpdst)
- UDP length (udplen)
- UDP payload (udppayload)
- UDP source port (udpsrc)
- UDP status (udpstatus)
- Statistical group
-
String group
- Contains (has, ->)
- Contains - case insensitive (weakhas)
- Contains tokens (toktains)
- Contains tokens - case insensitive (weaktoktains)
- Edit distance: Damerau (damerau)
- Edit distance: Hamming (hamming)
- Edit distance: Levenshtein (levenshtein)
- Edit distance: OSA (osa)
- Ends with (endswith)
- Format number (formatnumber)
- Hostname public suffix (publicsuffix)
- Hostname root domain (rootdomain)
- Hostname root prefix (rootprefix)
- Hostname root suffix (rootsuffix)
- Hostname subdomains (subdomain)
- Hostname top level domain (topleveldomain)
- Is empty (isempty)
- Is in (`in`, <-)
- Is in - case insensitive (weakin)
- Length (length)
- Locate (locate)
- Lower case (lower)
- Matches (matches, ~)
- Peek (peek)
- Replace all (replaceall)
- Replace first (replace)
- Shannon entropy (shannonentropy)
- Split (split)
- Split regexp (splitre)
- Starts with (startswith)
- Substitute (subs)
- Substitute all (subsall)
- Substring (substring)
- Trim both sides (trim)
- Trim the left side (ltrim)
- Trim the right side (rtrim)
- Upper case (upper)
-
Web group
- Absolute URI (absoluteuri)
- Opaque URI (opaqueuri)
- URI authority (uriauthority)
- URI fragment (urifragment)
- URI host (urihost)
- URI path (uripath)
- URI port (uriport)
- URI query (uriquery)
- URI scheme (urischeme)
- URI ssp (urissp)
- URI user (uriuser)
- URL decode (urldecode)
- User Agent Company (uacompany)
- User Agent Company URL (uacompanyurl)
- User Agent Device Icon (uadeviceicon)
- User Agent Device Information URL (uadeviceinfourl)
- User Agent Device Type (uadevicetype)
- User Agent Family (uafamily)
- User Agent Icon (uaicon)
- User Agent Information URL (uainfourl)
- User Agent is Robot (uaisrobot)
- User Agent Name (uaname)
- User Agent OS Company (uaoscompany)
- User Agent OS Company URL (uaoscompanyurl)
- User Agent OS Family (uaosfamily)
- User Agent OS Icon (uaosicon)
- User Agent OS Name (uaosname)
- User Agent OS URL (uaosurl)
- User Agent Type (uatype)
- User Agent URL (uaurl)
- User Agent Version (uaversion)
-
Aggregation operations
-
Working in the search window
-
Generate charts
- Affinity chord diagram
- Availability timeline
- Bipartite chord diagram
- Bubble chart
- Chart aggregation
- Custom date chart aggregation
- Flame graph
- Flat world map by coordinates
- Flat world map by country
- Google animated heat map
- Google area map
- Google heat map
- Graph diagram
- Histogram
- Pew Pew map
- Pie chart
- Pie layered chart
- Punch card
- Robust Random Cut Forest chart
- Sankey diagram
- Scatter plot
- Time heatmap
- Triple exponential chart
- Voronoi treemap
- Data enrichment
- Setting up a data table
- Advanced data operations
- Use case: eCommerce behavior analysis
-
Generate charts
- Managing your queries
- Best practices for data search
- Monitoring tables
- Activeboards
-
Dashboards
-
Working with dashboard widgets
- Availability timeline widget
- Chord diagram widget
- Circle world map widget
- Color key value widget
- Color world map widget
- Column chart widget
- Comparative chart widget
- Funnel widget
- Gauge meter widget
- Google heatmap widget
- Heat calendar widget
- Line chart widget
- Monitoring widget
- Pie chart widget
- Punch card widget
- Sectored pie chart widget
- Table widget
- Time heatmap widget
- Tree diagram widget
- Voronoi tree widget
- Configuring and sharing dashboards
-
Working with dashboard widgets
- Alerts and notifications
- Panels
- Applications
- Tools
- Flow
- Social Intelligence
- API reference
- Release notes
Models configuration
First time execution
Go to Devo’s main menu and click on Applications > Service Operations. Please refer to the installation section if Service Operations does not appear in the list of available applications.
After the application’s initial loading process, you should see Service Operation’s welcome sections:
Service Operations manages two types of models: global and domain-specific. Typically, the first execution will yield no available results for domain models, and the application will inform about this status as shown in the previous screenshot. In the following sections of this document, the full procedure to create a new model will be explained, but at this point it is also possible to click on the Global maps tab and select one of the Devo-curated models that are available off-the-shelf. Please refer to the Global maps section in this documentation for more information on the access and usage of global models.
Click on the Go to administration button. The administration section of Service Operations will be loaded and it will go straight into the models management section, listing all available models in the current domain:
Creating a new model
Creating models in Service Operations is a fairly iterative process that commonly starts with sketching the general service or application model to monitor, and how it breaks down in terms of main building blocks, subsystems, and so forth, generally reaching the lowest level of detail with the atomic KPIs and/or KQIs that rule the operational, performance or business related-status of their affecting entities. Once that rough design of the service model is done, it becomes a far simpler task to begin translating that design in terms of actual entities and relationships in Service Operations. As a general recommendation, it is a good idea to work with two browser tabs simultaneously, the first one to navigate and perform the actual configurations on Service Operations and the second one to run and refine any queries that will be necessary for the model creation.
Please follow the steps specified in the next section to complete the creation of a new model:
Go to the administration interface by clicking on the config icon in the Service Operations main menu.
Click on Manage models under the Models main section on the left menu. A list of all available maps in the domain and their associated categories will be shown:
- Click on the Create new model button. The interface changes to the model editing mode, showing a blank configuration for the newly created one.
- Once there, to configure the new map, collapse the left menu (button 1 in the image): Hide the main menu of the administration module.
- Contextual editing tools: Add entity "+", etc., (button 2 in the image): addition, cloning or deletion of entities in the model. Since it is a context-based tool, the number of active options will vary depending on the selected entity in the map.
- General map setting (beside button 3, "Publish", in the image): Shows or hides the general configuration parameters of the model.
Creating entities
Click on the "+" button to add a new entity to the model. A form will be shown with all necessary parameters to be set in order to create the new entity:
Entity definition section
Parameter | Description | Value type |
---|---|---|
Auto mode | Overall behavior of the entity in terms of its status calculation. When auto-mode = off, the value of the entity will be retrieved from the result of the associated query defined for it. If auto-mode = on, the result of the value will be ignored and overrode with the warning and critical status definition as specified below. | Enabled / disabled |
Name | Name of the entity | Text string |
Description | Textual description of the entity | Text string |
Icon | Graphical representation of the entity | Icon of the Devo icons list |
Family group | Logical group the entity belongs to | Text string |
Query | LinQ-format Devo query used to calculate the numeric value of the entity. The numeric value assumed by the entity will correspond to the last ‘select’ clause in the query | Query in LinQ format |
Discovery key (Component value) | Column value used to identify all entity instances | Single value from the last grouping key of the specified Devo query |
Inventory query | LinQ-format Devo query used to retrieve the inventory information referred to the same entity. | Query in LinQ format |
Critical status definition | List of status criteria that correspond to ‘critical’ status for a summary entity | Criteria from a list |
Warning status definition | List of status criteria that correspond to ‘warning’ status for a summary entity | Criteria from a list |
Metadata section
Parameter | Description | Value type |
---|---|---|
Type | Main category that defines the entity being modeled. Some of the entity types are utilized for automatic calculations of service metrics and incidents. For example, the ‘KPI’ type is reserved for any fundamental entity that monitors a concrete metric affecting its parent node. Additionally, types ‘user’, ‘session’ and ‘device’ are utilized by the User Experience module to automatically compose the status of the service from an end-user perspective. | List of predefined values |
Subtype | Subtype of the entity, more oriented to the environment or purpose it is defined, e.g., business-specific, operational, etc. | List of predefined values or custom string |
Additional metadata fields | Customizable data fields per entity that can hold any sort of additional information or parameters. Typically, these metadata fields are utilized as filtering criteria together with ‘type’ and ‘subtype’. Metadata fields are configured as key/value pairs. The key is defined as a string, whereas the value has two different possibilities: static value (treated as another string) or a query | Key, value pairs, composed by string + string or string + LinQ query |
Impact assessment section
Parameter | Description | Value type |
---|---|---|
Issue symptoms | Textual information that can provide a guidance on the best way to understand or diagnose an incident whenever it occurs | Text string |
Next best actions | Textual information listing the steps that could be taken to fix or mitigate the impact of an incident. | Multiple text strings |
Impact evaoluation definition | Query that is triggered any time an incident affects the corresponding entity to calculate the amount of entities directly affected by it. For example, if an entity definition models the operational status of a web server, the impact evaluation query could be defined to calculate the subset of client hosts that have received an HTTP 500 code as a result of any connection request. | LinQ query |
Impact evaluation unit | Description or unit of the entities affected by an incident (e.g., “end-users”, “network nodes”) | String |
Linking entities
To link two already-created entities use the following procedure:
Click on the source entity. The entity will be shown highlighted in the model, and a icon in the upper part of the node will be displayed.
Click on the button, keeping the button pressed down by your mouse, and start dragging the arrow to its destination.
Release the button on your mouse when the arrow is pointing at the border of the targeted entity.
NOTE: Remember the relationship you are establishing is based upon impact. That means, links should be read as ‘source entity impacts the status of the targeted entity’.
Linking entities using a link criteria
The mechanism described in the previous paragraph is the standard to link entities in an all-to-all way. That means, the following table of results shall be expected when linking entities using that approach:
Cardinality of source entity | Cardinality of target entity | Expected result |
---|---|---|
One (e.g., no discovery key defined or only one entity value discovered) | One | The established link is rendered as a one-to-one relationship |
One | Many (e.g., a discovery key has been defined and there are multiple discovered entities) | Single one-to-one links are rendered, one per discovered target entity |
Many | One | Single one-to-one links are rendered, one per discovered source entity |
Many | Many | Full all-to-all relationships mesh |
In some situations though, it is necessary to link sources and targets based upon some criteria. In the event of this, it is possible to set a linking criteria to ensure only those links will be created.
The procedure to observe is as follows:
Create a link between two different entities using the procedure described in the previous section.
Click on the link (arrow). A form in the right hand side of the screen will be displayed with two options:
Use the dropdown selectors to set the linking criteria between the two entities. Service Operations will list all grouping keys defined in both source and target entities' value calculation queries. The way this should be interpreted is as follows: “link the entities whose value in the ‘from’ column matches exactly the value of the ‘to’ column".
Click apply. The link criteria is established and displayed in textual form on top of the arrow between the two linked entities.
NOTE: By definition, only those entities with grouping keys in their value calculation definition can be linked using this mechanism. If Service Operations cannot retrieve the grouping keys for both queries, a message in the same form will be displayed informing of this situation.
Setting the general configuration for the model
These settings describe the general characteristics and structure of a model. Among other things, these settings are used to configure the overall behavior of Service Operations mainly by enabling or disabling its main functional modules. Ancillary configurations are also performed in this block, such as the predefined analysis time range, etc:
Parameter | Description | Value type |
---|---|---|
Model name | Name of the model | Text string |
Model icon | Icon used to describe the model in a visual way | Uploaded filename | URL |
Category | Logical group the model belongs to | Selectable or custom category text string |
Subcategory | Logical subgroup the entity belongs to | Selectable or custom subcategory text string |
Time range | Default time window utilized to report the status of the different entities and metrics | Selectable numeric value and unit (e.g., 24 - hours) |
Level - N name | Descriptive name of the N-level in the hierarchy | Text string |
Inventory query | LinQ-format Devo query used to retrieve the inventory information referred to the same entity. | Query in LinQ format |
Visual theme | Application visualization theme or visual skin | Light | Dark |
Accent color | Main application color for visual components and texts | RGB coded in hexadecimal (#XXYYZZ) |
PDF report tile | File name of the .pdf reports | Text String |
PDF logo | Image file attached to the .pdf report as corporate logo | Uploaded filename | URL |
Configuration subsections for Topology map
Parameter | Description | Value type |
---|---|---|
Enabled | Status of the module | Enabled | Disabled |
Order in main menu | Location in Service Operations main menu | Integer within 1 to 10 interval. 1 = first item in Service Operations main menu (left), 10 = last item (right) |
Layout | Default layout schema applied to the nodes visualization in the map | Hierarchy, Radial, Standard, Sequential, Organic, Structural, Lens |
Orientation | Default layout orientation | Left to right, Right to left, Top to bottom, Bottom to top |
Background image | Background image applied to the model | Uploaded filename | URL |
Background image position | Rendering options for the background image | Contain | Cover | Center |
Status panel | Availability of the status tiles panel | Enabled | Disabled |
Status panel expanded | Show the status panel by default when accessing the topology map | Enabled | Disabled |
Configuration subsections for Incidents viewer, Monitors, Incidents diagnostics, Traffic viewer, Alerts and Workflows, User Experience
Parameter | Description | Value type |
---|---|---|
Enabled | Status of the module | Enabled | Disabled |
Order in main menu | Location in Service Operations main menu | Integer within 1 to 10 interval. 1 = first item in Service Operations main menu (left), 10 = last item (right) |
Administration of models
Under the Manage models section of the Service Operations administration section it is possible to perform the following actions:
List or filter out models based upon their category.
Perform the following actions:
Edit: Go to the editing section with the selected model.
Copy / clone: Create a new model using the selected one as template.
Delete: Erase the selected model.
Administration from the editing section
There is a number of additional options available for the management of models, and accessible through the general settings menu in the editing section:
Combine model: Allows the addition of the entities and nodes definition of another existing model within the current one.
Rename / copy: Create a copy of the current model.
Delete: Erase the current model.