With event types you can summarize events and get automatic schema discovery. However, what happens if you want to compare event types over time? That is where event trends comes in. Event trends, is another tab on the Interactive Analytics (IA) page:
When you select this option you see event types compared over different time ranges:
The colorization tells you if event types are happening more frequently, about the same or less frequently than previous time ranges. One limitation with event trends was that the time ranges the event types were compared against could not be defined. This meant it was easy to perform troubleshooting in and root cause analysis against real-time issues — even after the fact — if you knew what time range to look over, but it could not assist with dynamic time ranges — more on this later.
So you might be wondering what I meant earlier about dynamic time ranges. Let me give you a specific example. Let’s say you have a backup window every day from 3-4am. Yesterday you had a backup failure and you want to look into the logs. You can easily search for event between 3-4am, however previously event trends would automatically compare the time range for your query (e.g 3-4am) against the time ranges before it (e.g. 2-3am). In this particular example, such an analysis is meaningless because you are not running backups between 2-3am so the event types will very likely be different. What you would really like to know if whether the backup window yesterday was any different from the backup window the day before. With the event trends time range this is now possible!
As you can see, event trends is a powerful, built-in capability of Log Insight. Now that a time range can be specified with event trends the functionality is even more powerful. Do you use event trends today? What issues have you found?
© 2015, Steve Flanders. All rights reserved.