- Source View Concept
Using the Source View
- Source View - Overview Tab
- Compare with Function
- Source View - Properties Tab
- Compare with and Properties Tab
1. Source View Concept
The source view is, as its name indicates, a view dedicated to a particular source. It displays the most important characteristics and several metrics of the said source on a daily basis. The source view is mainly targeted at support teams which can have, at a glance, the necessary information to potentially identify, locate and start to address an issue reported on a computer. The content of the view can be customized via definition of alerts and services to help target specific issues.
2. Using the Source View
To open the source view, you simply right-click on a source (e.g. from an Investigation) and select Display source view (shortcut: double-click on the source).
Selecting a Source to view its associated records (in this case for the computer 'NXT-L16')
The source view for the selected device is then displayed in a window with key information at the top (Source Name, Last IP address, Last Windows boot, and Last seen) plus two tab views below (Overview and Properties), with the Overview tab initially displayed.
2.1. Source View - Overview Tab
The Overview tab provides at a glance, essential information on the health of the source over the last 3 days (initial view). You can quickly identify if the computer has generated any alerts, experienced any errors, flagged any warnings, had new software installed, had some services experiencing difficulties, etcetera. The view can be refreshed by clicking on the refresh icon at the top right of the frame.
Source View Overview Tab for computer NXT-L16
As can be seen above, the Overview report is divided vertically into categories, with a list of items under each category heading. Each item may have a [+] icon, indicating it can be expanded for more information, an item description, a total count column appropriate to the category and a display along a time axis of category performance. As you hover your mouse pointer in the performance over time field, a marker appears in the time axis at the top of the frame, indicating the time associated with the mouse pointer.
Note: At the bottom of the Overview tab, we show when users were active on a source (obfuscated in the above screenshot). For privacy reasons this features can be disabled in the appliance configuration as described in this FAQ: FAQ/Engine FAQ#How_do_I_anonymize_user_information_in_Engine?
2.1.1. Showing alerts
To see summary information about an alert or alerts at a given time, hover over the alert(s). For additional detail, right click on the alert. This provides you with context menu on which you can click to run an investigation.
Show Alert context menu generated by a right click on the alert field. Click on this to run an investigation
For multiple alert, right click on the alert and select the appropriate alert from the context menu.
Show Alert context menu generated by a right click on the alert field. Click on the appropriate alert to run an investigation
2.1.2. Changing the view period in the Overview Tab
Change the view period in the Overview Tab by using the home and zoom in/out controls
The number of days shown in the Overview tab depends on the window sizing and zoom settings and can be toggled between 3 days (initial view) and one week by using the zoom in/out controls. Clicking on the (+) Zooms in (shortcut: Enter) and on (-) Zooms out (shortcut: Backspace). The zoom tools change in lightness to show if they can be used . In the screenshot above, it is only possible to zoom out.
You can zoom-in down to a scale of 2 seconds. First select a region in the timeline before you zoom in. Click and drag your mouse below the time axis anywhere in the overview display to select your area of interest, which is shown by light shading as shown below, then press the Enter key.
The time between 13.11.2011 00:00 and 13.11.2011 04:00 has been selected, enabling the user to zoom in on this period
As you zoom in, activity counts displayed in light blue circles will resolve into individual activities provided they are not time-coincident.
Eventually, activities that extend over a time period will resolve into the normal presentation as shown below.
To move the source view back and forward by the viewing period, click on the back and forward arrows in the time zone at the top of the Source Overview tab. By this means you can look at the performance of the source anywhere within the entire available period. You can also navigate to a specific date by clicking and dragging in the time scale zone area with your mouse. The mouse cursor changes to a double ended arrow and the dates move backwards and forwards to enable you to stop when you have reached the date of interest. Click on the Home icon at the top right of the Overview frame to return to the initial time.
Tip: By holding down the spacebar before using the mouse, you can drag the timeline while having the mouse positioned at any point in the timeline (i.e. not just on the time axis).
2.1.3. Drilling Down in the Overview Tab
Hovering over items in the Overview display provides additional detail, in this case the red circle indicates a serious error - an application crash
Hovering over the row item description provides additional information. If the text is light blue, then a tooltip will be displayed, provided one is available. In the activity row associated with an Overview category for a continuous process, the colour and colour's brightness provide a metric of performance over time. Where discrete events are recorded (for example binary installations), the number of events that have occurred in the viewed time period are shown in a circle - again with the circle colour indicating the severity. Hovering over the circle provides a list of events that have occurred in the associated time period. If you require more details or if there are more than can be displayed in the tooltip, double-click on the circle to generate an Investigation.
You are warned if there is more information than can be included in the tooltip
If the tooltip can't list all the events that have happened, a warning is provided at the bottom of the tooltip as shown above. You can always double click on the event and an appropriate investigation is launched providing you with more information. In the above example, 25 new binaries were installed on the source between 10:57:30 and 11:12:59 on the 6th of November, but only 9 of the 16 installations are listed in the tooltip. Double-clicking generates the report below, which provides a full listing of all the executables installed in that period.
Double clicking on an incident report generates an Investigation, providing greater detail plus access to concurrent Network and Local activity reports
2.1.4. Contextual Options with the Overview Tab
188.8.131.52. Exporting the Overview information into a Table
Should you require the information displayed in the Overview tab in a text format, you can export it in a table format for pasting into a text document or spreadsheet, perhaps for use in a report, or for further analysis.
Exporting the information in the Overview area is possible via a right-click
184.108.40.206. Investigating Errors and Warnings
Source View provides the same investigation support for Errors and Warnings. While hovering over an error or warning provides a summary of the reason for the error or warning, right-clicking enables the user to investigate similar events on the same computer, with the same application(s), within the same domain or other domains, et cetera.
Hovering over an error provides a summary of the error causing applications
After Right clicking on an error or warning, the busy icon is displayed for a few seconds, after which a range of context sensitive options are presented to the user to aid in further investigations.
Right clicking on an error results in the busy icon for a few seconds followed by a context sensitive menu with multiple options
- After a few seconds, you can drill down to events, look at recent occurrences of the same event, (either on the same computer or in the same domain) and limit your investigation to the same executable(s) or widen it to any executable.
- The above screenshots show the process for errors. Warnings can be investigated in the same way, as illustrated below.
Hovering over a Warning provides the reason for the warning along with additional details
Right-clicking enables you to find other computers recently experiencing the same problem(s) or recent incidences on the same computer
2.1.5. Service Activity for a Specific Source
By viewing the Mail Clients service, we can see from the red shading that there was a mail delivery performance issue. Hovering over problem area shows that between 13:00 and 14:00, availability was only 71%.
Hovering over a problem area provides a tooltip giving further details
Double clicking on the problem area opens an Investigation in Network Activity view.
Investigation into Mail Connectivity issue - Network Investigation showing connections
The Network Investigation opens in the traffic in & out view, which doesn't help us. By switching to the connections (or failed connections) view, we can see in red when the failed connections occurred.
Investigation into Mail Connectivity issue - Network View options
Using the icons at the top right of the Investigations Network View, you can move the timeframe, save, edit or refresh the investigation (top row) and zoom in/out or switch to a full screen view (bottom row).
Investigation into Mail Connectivity issue - List View (partially displayed)
Switching to the List view shows that at 13:06:41, 6 attempts to connect to the host were unsuccessful.
2.1.6. Customizing the Overview Tab
The Overview tab contents are customizable elsewhere in Finder by creating Alerts and Services that will be displayed when relevant. Note that Alerts and Services are only displayed if they are relevant to the selected source.
2.2. Compare with Function
Above the top right of both the Overview and Properties Tab, there is a dynamic comparison feature which enables you to compare the performance of your selected computer against others, thus assisting with the diagnostic process.
Compare with function located above Overview and Properties tabs
The Compare with options vary depending on the context and available categories and are selectable to further filter and compare the attributes and performance of a computer against others in the fleet.
The categories visible at the bottom left of the Properties tab dictate the options available to the Compare with function
Comparison groups are defined by categories which are extended by tagging. In the above screenshot, we see that available categories for comparison by the "sources with category" field are OS, RAM, Domain, Non standard OS version and Locations. By changing from "sources with category" Domains to "sources with category" OS, and if we retain the "any keyword", we are given the option of selecting from the range of Operating Systems in the computer fleet.
Changing the Compare with function to compare with different Operating Systems
If you change "any keyword" to the alternative "and same keyword", you are limited to the same category as your current computer.
Compare with - same keyword vs and keyword
By changing the and same keyword phrase in the above Compare with option to and keyword, we are given the option of reducing the scope of our investigation into a range of sub-groups, which includes those created by tagging. In this instance, we have divided our computer fleet into location groupings. This enables us to compare the level or warning or error incidences at Lausanne with those at Zurich.
Changing the Compare with options from "and same keyword" to "and keyword" enables you to widen your investigation - for example compare performance at different sites
We can now look at similar events in another domain
2.2.1. Tagging and the Compare with Function
Creating custom groups by tagging objects (see doc/4.0.0/WorkingWithFinder/Organize/Categories/TaggingObjects) extends the available categories for investigation. For example, tagging enables you to divide your computer fleet into departments, locations or other smaller logical groupings, thus providing you with additional groups which you can access for investigation by changing the Compare with options.
2.3. Source View - Properties Tab
Clicking on the Properties tab provides a summary of hardware and other useful information for the selected computer.
Source View Properties Tab for NXT-L16
Generating a Comparative Inventory Plot
You can toggle between the Properties and Comparative Inventory Plot views by clicking on the plot icon, or close the plot view by clicking on the close (x) icon in the top right of the frame. Double-click on the bar to to show the detailed list of sources belonging in that category. The comparison group is defined by the controls at the top right of the source view header.
Generating an Investigation from the Pareto plot of Hardware Model - Computer model yellow bar
Double clicking on a bar from the Pareto plot will run an Investigation and return a list of sources that are included in that bar count along with their properties. By this means you can find similar machines, or machines that are similar except for one parameter, e.g. RAM or Operating System, to help with your diagnosis. The above listing was generated by clicking on the yellow plot for computer models 27658JG. From it you've discovered that while all 3 laptops are running Windows 7, they all differ in OS version or Service Pack level. Perhaps the reported fault coincided with the upgrade to SP1? You might want to go back to the Overview tab and check the new binary item under the Activity category to see when Service Pack 1 was installed and whether the reported problem only occurred after that date.
Close the investigation to return to the Properties view, from which you can run further Investigations.
2.4. Compare with and Properties Tab
The population of computers used to generate the plots shown on the Properties tab is controlled by the Compare with filtering. In the screenshot below, because we have Compare with "all sources" the entire population is plotted. The comparison computer, NXT-L15 is included in the 8GB RAM group as indicated by the yellow colouring of this bar.
Source View with all sources included - per the Compare with settings
If we change the Compare with category to "sources with category" RAM and use the "and same keyword" setting, the plots only include RAM that falls in the same category as the reference computer, in this case, over 3GB. We are shown a reduced subset of computers, with the category our computer falls into highlighted in yellow as usual.
Source View of Sources with RAM in same category as our reference computer
Any changes to the Compare with filters result in the plots being immediately regenerated in accordance with the new selection criteria. If we change the "and same keyword" to "and keyword" and select, in this case, (up to 1GB) from the available categories, we get the result shown below. NOTE that this selection excludes our reference computer, which has 8GB RAM, but it is still shown in the plot in the yellow bar, but this time with a count of 1.
Source View Sources with Category RAM and keyword up to 1GB, showing our computer (in yellow) outside of plot range