I want to know the exact (event logs) count for a particular metakey-value.
Now, as per my understanding for the 'Event Outcome' metakey, the (event logs) count for the 'failure' metavalue is 37,003 events.
The (event logs) count for the 'success' metavalue has reached the threshold of 100,000 events. I'm not sure what the -73% means, although as per the document it has something to do with load time. Can somebody please elaborate? The document explanation isn't satisfactory.
Also, if the 100,000 events threshold has been reached - how do I know what the exact (event logs) count is?
So, basically if I need to know the exact count of event logs streaming in within 1 hour - how do I know so, if the count shows (>100000 - 73%)?
Visham,
What you are experiencing is a common question asked by many customers. When you see any meta key say (>100,000 - xx%) this is telling you that 100,000 is XX% of the total values for that blue meta value. In your case you are seeing that the value of Success contains more than 100,000 values and that 100,000 values is 73% of the total values for Success within the time frame you are searching. If you do the math the actual total for the time frame you are searching is about 136,986 actual values for Success. 73% of 136,986 is 100,000. Netwitness does this percentage when it reaches a certain threshold set in the product. It does this to speed up returned results when doing Investigations so it isn't churning through large number of results while you are waiting for the screen to refresh.
You can change this threshold per person within the Investigation window itself. You would go into the Investigation area. Click on the Settings button at the right end of the action bar, you may need to click on the >> or .. to see the Settings button.
In the image above you would adjust the option in yellow. It is the threshold used when determining where to stop looking at the actual values and provide a percentage. I highly suggest not adjusting this threshold up to high as it can cause performance issues within the Investigation page.
When you see meta values with these percentages it is highly suggested to use other meta values to help focus your search which should help bring these numbers down to a more reasonable value so that it is under the threshold and you get an accurate count within Investigation.
Please note that this threshold does not apply to items generated by reports. This mechanism is primarily there to allow the Investigation page to load faster while giving you an idea of how many results exist for that value.
For your scenario if you are looking for a 100% accurate count I would use a report, or use smaller time frames until you get a value under 100,000 within each time frame. Once you have that you can manually add the numbers together for the total time frame you are looking for. As you can see that can be cumbersome, that is why I highly suggest going the report method.
I hope this helps to answer your question.
