Incidents Pane
    • Dark
      Light
    • PDF

    Incidents Pane

    • Dark
      Light
    • PDF

    Article summary

    The ControlUp Incidents Pane is a viewer for incidents that were recorded in your organization based on incident triggers. In this pane, you can investigate incidents retrospectively, such as changes in Stress Levels, user activity, Windows Events, and more. Every incident is recorded based on a trigger configured in ControlUp, either manually or with the help of ControlUp Hybrid Cloud Analytics, generates an incident whenever its conditions are met.

    You can configure follow-up actions (e.g. send an email alert) but ControlUp will always store the incident in a database to be accessed later. For trending analysis and troubleshooting purposes, the Incidents Pane is where you can search, sort, and group all incidents.

    A few important clarifications for an easy start with the Incidents Pane:

    • The Incidents Pane is not available offline. Offline users of ControlUp will see the Incidents Pane button as greyed out (this will also happen briefly following Fast Login).
    • Triggers are configured using the Triggers Settings window. That’s the place where you can control which incidents will be recorded by ControlUp.
    • The Incidents Pane is read-only and intended for viewing the incidents and performing data analysis by filtering, sorting and grouping data.
    • The default retention period for incidents is 14 days and every organization is limited to 1000 incidents per day by default. Contact our support team at support@controlup.com if these are not enough for your organization.
    • Incidents are stored securely using ControlUp Hybrid Cloud Services, subject to ControlUp privacy policy.

    Searching and Filtering the Incidents Grid

    Here are some ways in which you can use the incidents grid in order to locate interesting data:

    • The Filter / Search box locates incident records by searching all data fields (try computer names, user names or any other strings that might appear in the incidents, like parts of a Windows Event text).
    • Each row in this grid can be double-clicked to focus on a specific incident type. You can always come back to the home page by clicking on the Home button or by clicking on Back (<) on the navigation bar.
    • The time range slider can be adjusted to display events that happened during a specified time range.
    • Click a folder or a computer in the organization tree to show incidents for that folder or computer.

    All of the filtering options above instantly affect the information grid, causing it to recalculate the distributions. If the grid is filtered by any of those methods, the navigation bar will be highlighted in orange until all filters are cleared.

    The Incidents Home Page

    The Incidents home page is an information grid showing all available incident categories, along with their distribution over time. Its purpose is to provide a summary of incident history in your ControlUp organization. Every row in this grid represents a distinct incident category, like Computer Stress or Windows Event. Events are separated into these categories because every category has a distinct set of data fields. For example, a Computer Stress incident cannot be displayed in the same table as a Session State Changed incident since they do not have the same properties.

    The Incidents home page includes the following columns:

    • Graph column – shows the relative distribution of every event type over time, during the retention period (14 days by default). The leftmost bar in each graph represents the number of incidents logged on the first day of this period, and the rightmost bar represents the number of events logged today. By default, the graph is sorted by this column, which makes the most populated incident categories to appear on top.
    • Incident type – the incident category name.
    • Last incident on – the time of the last incident recorded in this category
    • Last hour, Last day, Last X days (14 by default) – a count of incidents within the category for the respective time frame.

    In order to research incidents in a particular category, double click that category’s row.

    Incidents Category View

    After double-clicking any row in the Incidents home page, you arrive at this view, which shows all incidents of the selected type (for example, Computer Stress). Nnote that any filters previously applied on the Incidents home page will remain active, as indicated by the orange highlight of the navigation bar.

    This view includes the same columns as the Incidents home page. In addition, all data fields of the selected incident type are available for display. To add a column, click on its name in the side bar on the right.
    image.png

    For example, here we’ve added the Counter column to the Computer Stress incidents view. Once added, this column is added to the grouping logic of the incidents grid, dividing it into all unique combinations of the selected field values. If you originally had 10 computers in the Computer Stress view, adding the Stress Level column will divide every computer row into all existing values of Stress Level column on that computer (to a maximum of 10*4=40 rows, if every computer has triggered all possible stress levels).

    Multiple columns can be added using the same method. This is a powerful data mining feature, which enables you to identify the most common factors contributing to incidents in your organization. For instance, in Computer Stress Level events the Counter column shows the specific counters responsible for each Stress Level incident. When added to this view together with the Computer Name column, the default sorting should highlight the specific resource that causes the most Stress Level events (e.g. Memory Utilization on Server1).

    Double-clicking on a row in this table will switch the grid to the Individual Incidents view.

    Individual Incidents View

    This view’s purpose is to display the separate occurrences of any incident recorded by ControlUp. Unlike the other views in the Incidents Pane, every row in this view is not a summary, but an individual incident.

    For every incident, all recorded details are displayed (see column reference below). In addition, this view includes the Trigger column which links to the trigger that caused every incident to be recorded, so that you can easily tune the relevant triggers. Note that the trigger causing a particular event may have been deleted since the incident had been recorded. In this case the Trigger column will show <trigger deleted>.

    Incidents Pane Column Reference

    Home Page Columns

    Column name Description
    Incident typeThe incident category, as configured when creating the trigger.
    Last incident onThe time of the last incident recorded in this category.
    Last hour, Last day, Last X days (14 by default)A count of incidents within the category for the respective time frame.

    Incidents Category View Columns

    Column nameDescription
    Incident typeThe incident category, as configured when creating the trigger. Events are separated into these categories because every category has a distinct set of data fields. For example, a "Computer Stress" incident cannot be displayed in the same table as a "Session State Changed" incident since they do not have the same schema.
    Last incident onThe time of the last incident recorded in this category.
    Last hour, Last day, Last X days (14 by default)A count of incidents within the category for the respective time frame.
    Columns available in the “Folder Stress” category
    Stress LevelThe Stress Level severity recorded during the incident
    FolderThe name of the folder in your ControlUp organization
    TriggerThe name of the trigger that caused the incident to be recorded (links to the trigger’s settings). Could be empty if the trigger has been deleted.
    Counter NameThe ControlUp column responsible for the increase in the computer’s Stress Level
    Columns available in the “Hosts Stress” category
    Stress LevelThe Stress Level severity recorded during the incident
    FolderThe name of the folder in your ControlUp organization
    TriggerThe name of the trigger that caused the incident to be recorded (links to the trigger’s settings). Could be empty if the trigger has been deleted.
    Counter NameThe ControlUp column responsible for the increase in the computer’s Stress Level
    Host NameThe name of the affected virtualization host
    Hypervisor TypeThe hypervisor platform vendor
    VersionThe version number of the hypervisor platform
    Installed MemoryThe amount of physical RAM installed on the host
    Columns available in the “Computer Stress” category
    ComputerThe name of the computer on which the incident has occurred
    FolderThe name of the ControlUp organization tree folder in which the computer resides
    Trigger nameThe name of the trigger that caused the incident to be recorded (links to the trigger’s settings). Could be empty if the trigger has been deleted.
    ManufacturerThe hardware manufacturer of the stressed computer
    ModelThe hardware model of the stressed computer
    OSThe operating system of the stressed computer
    Service PackThe OS service pack installed on the stressed computer
    CounterThe ControlUp column responsible for the increase in the computer’s Stress Level
    System TypeThe system bitness (x86/x64) of the stressed computer
    CPU CountThe number of CPUs installed on the stressed computer
    Total Memory InstalledThe amount of physical memory on the stressed computer
    Uptime GroupThe uptime of the stressed computer, categorized (1 hour – 1 day, 1 day – 1 week, 1 week – 1 month)
    Stress LevelThe Stress Level severity recorded during the incident
    Session CountThe number of user sessions established on the stressed computer, categorized (0-2,3-5,6-10, etc.)
    Domain RoleThe domain role of the stressed computer
    Host NameFor a virtual machine, the name of the hypervisor host on which the machine was running at the time of the incident
    Hypervisor TypeFor a virtual machine, the vendor of the hypervisor host
    Columns available in the “Session Stress” category
    Account NameThe user account name of the stressed session
    Account DomainThe user account domain of the stressed session
    ComputerThe computer on which the stressed session was hosted
    FolderThe ControlUp organization folder in which the computer hosting the session resides
    CounterThe ControlUp column responsible for the increase in the session’s Stress Level
    Trigger nameThe name of the trigger that caused the incident to be recorded (links to the trigger’s settings)
    Client nameThe name of the client computer from which the stressed session has been established
    Session stateThe state of the user session at the time of the incident
    Initial programThe program configured to start when the session is initialized (or published application)
    Columns available in the “Process Stress” category
    Image nameThe name of the stressed process
    EXE versionThe version number of the stressed process
    Product nameThe product name of the stressed process
    Product versionThe product version number of the stressed process
    ManufacturerThe manufacturer of the stressed process
    User nameThe name of the user who launched the process
    DescriptionThe description of the stressed process
    ComputerThe computer on which the stressed process was executed
    FolderThe ControlUp organization folder in which the computer hosting the stressed process resides
    Command lineThe command used to launch the process, including the full path and command-line arguments
    PriorityThe base CPU priority of the stressed process
    Created timeThe creation timestamp of the stressed process’s executable file
    Modified timeThe last modification timestamp of the stressed process’s executable file
    Columns available in the “Account Stress” category
    Account nameThe name of the user account
    Account domainThe AD domain name of the user account
    Total sessionsThe total number of sessions established using the user account
    Total processesThe total number of processes executed using the user account
    Stress LevelThe Stress Level severity recorded during the incident
    Columns available in the “Application Stress” category
    Image nameThe name of the process executable
    Total processesThe number of process instances for the executable
    EXE versionThe EXE version of the executable file
    Stress LevelThe Stress Level severity recorded during the incident
    Columns available in the “Windows Event” category
    Event logThe name of the Windows Event Log in which the event was logged
    Event typeThe type of the event – Error, Warning, Information, Audit Success / Failure
    Event IDThe event ID number
    UserThe User field as logged in the event
    ComputerThe Computer on which the event was logged
    Full messageThe full text of the event
    Event sourceThe source of the event
    Raw messageThe raw message text of the event (without substituted parameters)
    FolderThe ControlUp organization folder in which the computer that logged the event resides
    Columns available in the “Process Started” category
    Image nameThe name of the started process
    Image versionThe executable version of the started process
    Command lineThe command used to launch the process, including the full path and command-line arguments
    UserThe user who launched the process
    ComputerThe computer on which the process was launched
    FolderThe ControlUp organization folder containing the computer on which the process was started
    Columns available in the “Process Ended” category
    Image nameThe name of the ended process
    Image versionThe executable version of the ended process
    Command lineThe command used to launch the process, including the full path and command-line arguments
    UserThe user who launched the process
    ComputerThe computer on which the process ended
    FolderThe ControlUp organization folder containing the computer on which the process ended
    Exit codeThe exit code recorded when the process ended
    Columns available in the “User Logged On”, “User Logged Off” and “Session State Changed” categories
    User nameThe user name of the established session
    Machine nameThe computer hosting the session
    Initial programThe program configured to start when the session is initialized (or published application)
    Session IDThe session ID number
    Columns available in the “Session State Changed” category (in addition to the above)
    From stateThe session state before the change
    To stateThe session state after the change
    Columns available in the “Computer Down” category
    ComputerThe name of the computer disconnected from monitoring
    ActionThe reason for disconnection
    Error descriptionThe description of the error that led to disconnection
    FolderThe ControlUp organization folder containing the computer
    Columns available in the “NetScaler Stress” category
    NetScaler NameThe name of the NetScaler on which the incident has occurred
    VersionThe NetScaler version
    Load Balancer NameThe name of the Load Balancer on which the incident has occurred
    LB Service Group NameThe name of the Service Group on which the incident has occurred
    LB Service NameThe name of the Service on which the incident has occurred
    Gateway Name The name of the Gateway on which the incident has occurred
    NIC ID

    The ID of the NIC on which the incident has occurred

    Columns available in the “Load Balancers Stress” category
    NetScaler NameThe name of the NetScaler on which the incident has occurred
    VersionThe NetScaler version
    Load Balancer NameThe name of the Load Balancer on which the incident has occurred
    LB Service Group NameThe name of the Service Group on which the incident has occurred
    LB Service NameThe name of the Service on which the incident has occurred
    Gateway Name The name of the Gateway on which the incident has occurred
    NIC ID

    The ID of the NIC on which the incident has occurred

    Columns available in the “LB Services Stress” category
    NetScaler NameThe name of the NetScaler on which the incident has occurred
    VersionThe NetScaler version
    Load Balancer NameThe name of the Load Balancer on which the incident has occurred
    LB Service Group NameThe name of the Service Group on which the incident has occurred
    LB Service NameThe name of the Service on which the incident has occurred
    Gateway Name The name of the Gateway on which the incident has occurred
    NIC ID

    The ID of the NIC on which the incident has occurred

    Columns available in the “LB Services Groups Stress” category
    NetScaler NameThe name of the NetScaler on which the incident has occurred
    VersionThe NetScaler version
    Load Balancer NameThe name of the Load Balancer on which the incident has occurred
    LB Service Group NameThe name of the Service Group on which the incident has occurred
    LB Service NameThe name of the Service on which the incident has occurred
    Gateway Name The name of the Gateway on which the incident has occurred
    NIC ID

    The ID of the NIC on which the incident has occurred

    Columns available in the “Gateways Stress” category

    NetScaler NameThe name of the NetScaler on which the incident has occurred
    VersionThe NetScaler version
    Load Balancer NameThe name of the Load Balancer on which the incident has occurred
    LB Service Group NameThe name of the Service Group on which the incident has occurred
    LB Service NameThe name of the Service on which the incident has occurred
    Gateway Name The name of the Gateway on which the incident has occurred
    NIC ID

    The ID of the NIC on which the incident has occurred

    Columns available in the “NICs Stress” category

    NetScaler NameThe name of the NetScaler on which the incident has occurred
    VersionThe NetScaler version
    Load Balancer NameThe name of the Load Balancer on which the incident has occurred
    LB Service Group NameThe name of the Service Group on which the incident has occurred
    LB Service NameThe name of the Service on which the incident has occurred
    Gateway Name The name of the Gateway on which the incident has occurred
    NIC ID

    The ID of the NIC on which the incident has occurred


    Was this article helpful?

    What's Next