Aggregation and grouping (classic)

The Nexthink solution aggregates metric data along two dimensions: the defined hierarchy and time. To aggregate the data, the system also takes into account the group by and aggregate by options that you set when you create the metric in Finder (depending on the kind of metric, not all options are available). Various combinations of aggregation and grouping options along with hierarchy node and period selection produce different results in the web dashboards.

The example hierarchy

For demonstration purposes, suppose that we have defined a very simple hierarchy based on locations that consist of two levels only:

  • Country (top level)

  • City (entity level)

Our imaginary organization has offices in two countries, Switzerland (CH) and Spain (ES). Switzerland has offices in two different cities, Geneva (GVA) and Zurich (ZRH). Spain has offices in two different cities, Madrid (MAD) and Barcelona (BCN).

Finally, imagine that there are just two devices per city. The name of each device comprises the initial letter of the city, followed by either the number 1 or the number 2. This makes a total of eight devices:

Hierarchy
Hierarchy
Hierarchy
Hierarchy
Hierarchy
Hierarchy
Hierarchy
Hierarchy
Hierarchy

Country

CH

CH

CH

CH

ES

ES

ES

ES

City (entity)

GVA

GVA

ZRH

ZRH

MAD

MAD

BCN

BCN

Devices

G1

G2

Z1

Z2

M1

M2

B1

B2

Count metrics

Depending on the type of object, count metrics consider:

  • Only those objects that were active during a particular day.

  • All objects regardless of their activity during a particular day.

For some types of objects, you can only count active instances. For packages, you always count all of them. For users and devices, the user may choose whether to count all of them or only those that were active. Use the table below as a reference:

Only active
Only all objects
User choice
  • Application

  • Executable

  • Binary

  • Port

  • Destination

  • Domain

  • Packages

  • Users

  • Devices

Aside from packages, it is usually helpful to count only those objects which were active during the day. However, in cases such as transformation projects, it is important to know which objects already fulfill the transformation condition, no matter whether they were active during a particular day or not. For instance, if you have a migration project from Windows 8 to Windows 10, you probably want to count every day the devices which have already installed Windows 10, even when they were not active during the measurement day. In this way, when observing the results of the metric with the web interface, you get a non-decreasing value, which may not be the case if you measure only active devices instead. For instance, in a typical company, the number of active devices decreases dramatically during the weekend, increasing again during weekdays.

The value of a metric that counts all objects is thus valid for the particular day when it is computed and cannot be aggregated through time. Therefore, the web interface does not show widgets associated with these metrics when selecting time periods different from one day. In addition, note that the computation of these metrics requires looking through all the history available in Engine for counting in all possible objects. The conditions that you can specify for these metrics are consequently the same as for full period investigations, namely they cannot depend on activities or events.

When counting active objects only, an extra condition (count devices that meet conditions on ... in period) influences how the system displays the results of the metrics for periods longer than one day. Use this extra condition to count objects, either:

  • The last day that the objects were active within the selected period (for inventory purposes), or

  • At least one day during the selected period (for detecting occurrences).

Grouping by properties

As a first example, let us consider a metric that counts the number of devices and groups them both by type and OS (in the COMPUTE DAILY section, select Group by device type and OS version and architecture).

Since this metric is intended to make an inventory of devices and inventories are usually based on the latest state of the cataloged objects, select the extra condition of count metrics to last active day (in the MATCHING section, select Count devices that meet conditions on last active day in period). Leave the rest of the options for creating the metric to their defaults.

The devices in our example are of the following types and have the following operating systems installed:

Devices
Device Type
OS version and architecture

G1

server

Windows 2012 Server Standard (64 bits)

G2

desktop

Windows 8.1 Pro (64 bits)

Z1

laptop

Windows 7 Enterprise SP1 (64 bits)

Z2

desktop

Windows 8.1 Pro (64 bits)

M1

laptop

Windows 10 Pro (64 bits)

M2

desktop

Windows 7 Enterprise SP1 (64 bits)

B1

laptop

OS X Yosemite 10.10.5 (64 bits)

B2

desktop

Windows 7 Enterprise SP1 (64 bits)

If the devices and their operating system do not change, the system consistently displays the same global results for the metric, regardless of the period selected. For instance, when you display the count metric in a table widget, arranging the rows by the operating system and the columns by the device type, you always get the following global results:

OS version and architecture
Device type
Device type
Device type

desktop

laptop

server

Windows 8.1 Pro (64 bits)

2

0

0

Windows 7 Enterprise SP1 (64 bits)

2

1

0

Windows 2012 Server Standard (64 bits)

0

0

1

Windows 10 Pro (64 bits)

0

1

0

OS X Yosemite 10.10.5 (64 bits)

0

1

0

Now let us consider the case that B1 (the only Mac OS device in the list) gets its OS upgraded from version Yosemite to El Capitan. After this upgrade, the choice of the extra condition of count metrics influences the results displayed. Differences appear only when viewing periods are longer than one day; therefore, let us see the results of our widget when selecting a period of one week (the week when the device got its OS upgraded). If you chose last active day as extra condition, you get:

OS version and architecture
Device type
Device type
Device type

desktop

laptop

server

Windows 8.1 Pro (64 bits)

2

0

0

Windows 7 Enterprise SP1 (64 bits)

2

1

0

Windows 2012 Server Standard (64 bits)

0

0

1

Windows 10 Pro (64 bits)

0

1

0

OS X El Capitan 10.11.4 (64 bits)

0

1

0

That is, you get the same results as before, except for the last row in the list, where OS X Yosemite 10.10.5 (64 bits) is replaced by OS X El Capitan 10.11.4 (64 bits). That implies that on the last day when the Mac device was active during the selected week, it already had the El Capitan version installed. However, if the metric was defined with the extra condition option set to at least one day instead of the last active day, the widget displays the following results:

OS version and architecture
Device type
Device type
Device type

desktop

laptop

server

Windows 8.1 Pro (64 bits)

2

0

0

Windows 7 Enterprise SP1 (64 bits)

2

1

0

Windows 2012 Server Standard (64 bits)

0

0

1

Windows 10 Pro (64 bits)

0

1

0

OS X Yosemite 10.10.5 (64 bits)

0

1

0

OS X El Capitan 10.11.4 (64 bits)

0

1

0

That is, during the week of the upgrade, the Mac computer was seen some days with the Yosemite version installed and some other days with the El Capitan version. Thus, it appears twice in the table widget. For that reason, the option at least one day is not well-adapted to inventory, which was the original purpose of the metric.

On the other hand, the option at least one day is useful for detecting occurrences of particular situations. For example, imagine that you want to know whether any device had the antivirus real-time protection turned off any day during the selected period. To that end, create a metric that counts devices and performs any of the following two functions:

  • Group the devices by the status of their antivirus real-time protection

  • Set a condition to get only those devices with the protection turned off.

Choose at least one day as the extra condition of the metric to count those devices that had the protection turned off on any day and not necessarily the last day that they were active.

Note that the Nexthink solution verifies the state of the antivirus real-time protection of the devices when it computes the value for the metric. If you switch the antivirus real-time protection of a device off and on on the same day before the nightly computation, the situation will go undetected for the previously defined metric. In general, this applies to all metrics that set conditions on the state of objects. On the other hand, metrics with conditions based on events keep a history of occurrences. For instance, if a metric counts the number of devices executing high-threat binaries, the system sees these executions during the computation of the metric in any case.

Coming back to our inventory example, let us consider now the result of counting all devices instead of counting the active devices only. Since the migration from Yosemite to El Capitan looks like a transformation project, counting all objects is probably more suitable than counting just the active objects. Indeed, imagine that the Mac laptop in the example is turned off for a whole day after being upgraded to El Capitan. While a metric that counts all objects would include the Mac laptop in the results of that day, a metric counting only active devices would leave it out of its results. Think carefully about the choice of counting only active objects or all objects when you create a count metric for devices or users.

Grouping by foreign category

Count metrics let you group results not only by the properties of the counted objects themselves but also by categories of related objects (foreign categories). Let us illustrate this kind of grouping by creating a metric that counts the number of users. The metric groups the users by a foreign category called Ownership. We define Ownership as a category of devices that has two keywords:

  • Corporate, which indicates that a device belongs to the company.

  • BYOD, which indicates that a device personally belongs to the user.

From the example hierarchy, let us focus on the CH node, that is, the devices in Switzerland, and imagine that we had the following usage pattern during the last day:

  • User 1: an employee used a personal computer G1 in Geneva and then traveled to Zurich and used a corporate computer Z1.

  • User 2: used a personal computer G2 in Geneva.

  • User 3: used a corporate computer Z2 in Zurich.

When retrieving the data during the nightly computation, Portal stores the following data internally:

Users
Entity
Ownership

User 1

GVA, ZRH

BYOD, Corporate

User 2

GVA

BYOD

User 3

ZRH

Corporate

Note that the system is unable to deduce from this table whether the Corporate device of User 1 is located in Geneva or Zurich (same for the employee’s BYOD device). To be on the safe side, the convention followed is to count the user in for all possible combinations, although that may lead to situations where the actual combination did not occur. In our example for User 1, only the combinations GVA-BYOD (because of the use of G1) and ZRH-Corporate (because of the use of Z1) actually occur. However, the system counts as well User 1 for the combinations GVA-Corporate and ZRH-BYOD.

Thus, displaying the metric in a table widget, with the rows organized by hierarchy and the columns by Device-Ownership, yields the following results for the last day (when CH is selected as the Country of the hierarchy):

Ownership
Ownership
Ownership

City

Overall

Corporate

BYOD

Overall

3

2

2

GVA

2

1

2

ZRH

2

2

1

Note that because of User 1 using computers in both Geneva and Zurich, and because of the additional combinations added by convention, none of the partial results add up to the overall values. The values over all the hierarchies are shown in the Table widget after ticking the option Display overall value in the configuration of the widget for dividing by hierarchy.

Considerations on ratios and thresholds

When creating a count metric that includes a ratio computation and thresholds based on the ratio, threshold violations occur more frequently when exploring the lower levels of the hierarchy. The reason is that ratios tend to get more extreme when there are fewer objects to count. To avoid triggering threshold violations with only a few objects involved, tick the checkbox Ignore unless at least x objects are impacted in a hierarchy node and specify the minimum number of objects that must be impacted in order to consider a threshold violation effective.

On the other hand, if you base the thresholds on absolute values instead of ratios, threshold violations occur more frequently in higher levels of the hierarchy, because they involve more objects.

Quantity metrics

There are two types of quantity metrics: those that measure a countable number of actions (for example, the number of executions) and those that measure a continuous quantity related to the activity of a device (the memory usage, the boot or logon duration, etc.). In both types of quantity metrics, the measured quantity changes over time. It is therefore necessary to aggregate all the collected values to display a final result on the web interface for each available time frame. For quantity metrics, there are four ways of aggregating the results:

  • sum over all devices and the whole timeframe

  • average value per device per day

  • maximum value per device per day

  • minimum value per device per day

Not all of the aggregation strategies are available for all quantity metrics. Only the options that make sense for a particular metric can be selected. Typically, the computation of the average and the maximum values per device per day are available to any quantity metric, whereas the sum or the minimum values only make sense for some kinds of quantity metrics.

Let us examine the different aggregation options for quantity metrics through some examples. For instance, consider a metric that counts the number of executions of Nexthink Finder on each device; that is, a quantity metric that computes the number of executions with a condition on the executable name nxfinder.exe. Suppose that, for the current week, the devices of our original example located in Spain have the following usage pattern:

Finder executions
Finder executions

City

Device

Monday

Tuesday

MAD

M1

4

2

M2

1

1

BCN

B1

0

1

B2

1

0

Consider first the results of the metric for the different aggregation strategies when looking at the last day:

Maximum value per device per day: 2

The device that executed Finder the most on Tuesday is M1, which did it twice.

Sum over all devices and the whole timeframe: 4

Results from adding all the executions on Tuesday 2 (M1) + 1 (M2) + 1 (B1) = 4.

Average value per device per day: 1.3

Results from dividing the sum of all executions (the previous value calculated) by the number of devices that participate in the metric 4 / 3 = 1.3. Note that B2 is not counted in for computing the average on Tuesday because it does not satisfy the condition of executing nxfinder.exe.

Now let us consider the results when selecting the last week. Since the week is not over, the system has data only for Monday and Tuesday:

Maximum value per device per day: 4

Device M1 executed Finder four times on Monday. That is the maximum for any device during the week.

Sum over all devices the whole timeframe: 10

That adds up to the four executions on Tuesday plus six on Monday.

Average value per device per day: 1.7

Results from dividing the sum of all executions over the whole week by the sum of devices participating in the metric each day. That is 10 / 6 = 1.7. Note again that neither B1 not counted in on Monday nor B2 is counted in on Tuesday because they do not satisfy the condition of executing nxfinder.exe, so we only have three devices each day, making a total of 6 devices for computing the average.

We have just seen an example of a quantity metric that counts individual occurrences. Let us now consider a metric based on continuous value; for instance, a metric that computes the average memory usage per execution of Finder (as in the previous example, we use a condition on the executable nxfinder.exe). As you probably know, the memory used by Finder increases with the number of tabs that are simultaneously open, so we can expect significant differences between the memory used by any two distinct executions of Finder. Again, for the devices in Spain, suppose that we have the following usage pattern for the current week:

Finder memory
Finder memory

City

Device

Monday

Tuesday

MAD

M1

200 MB

100 MB

M2

No execution

200 MB

BCN

B1

300 MB

500 MB

B2

400 MB

400 MB

The metric yields the following results for Tuesday, according to the chosen aggregation strategy:

Maximum value per device per day: 500 MB

Device B1 had the highest memory usage on Tuesday. Note that this is not the absolute maximum value of memory used by Finder on the device, since the metric is actually measuring the average along the day.

Minimum value per device per day: 100 MB

Device M1 had the lowest memory usage on Tuesday. Again, note that this is an average along the day, so it is not the absolute minimum amount of memory that Finder used.

Average value per device per day: 300 MB

Adding the values for all devices makes a total of 100 (M1) + 200 (M2) + 500 (B1) + 400 (B2) = 1200 MB, dividing by four devices gives 300 MB on average.

If you select to see last week results, you get the following:

Maximum value per device per day: 500 MB

No device used more memory for Finder than B1 on Tuesday, so 500 MB is again the maximum for the week.

Minimum value per device per day: 100 MB

The same for the minimum usage of memory, which corresponds to M1 on Tuesday. Note that the memory usage of M2 on Monday is not counted as 0 because it does not meet the condition of executing Finder. Thus, the metric does not take M2 into account.

Average value per device per day: 300 MB

We have 1200 MB from Tuesday plus a total of 200 (M1) + 300 (B1) + 400 (B2) = 900 MB on Monday, making a grand total of 2100 MB for the week. Dividing by three active devices on Monday (M2 had no executions) plus four devices on Tuesday, that is, a total of seven devices, gives 2100 / 7 = 300 MB on average.

In quantity metrics, as in count metrics, you can group the results by up to two criteria. Since quantity metrics are related to devices only, the criteria for grouping results can be based either on the attributes or on categories of devices (no foreign categories are available in this case). Setting group by options lets you break down the results of the metric when they are displayed in a table widget within a dashboard, in the same way as shown for count metrics.

Top metrics

Top metrics return a list of objects ordered by their contribution to a particular activity. When defining a top metric, you choose:

  • The type of object to show in the list.

  • The total number of objects in the list (from the top 10 to the top 100).

  • An activity that is linked to that type of object.

  • The criterion for including the objects in the list: include those with either the highest or the lowest contribution to the activity.

  • The aggregate by option for the activity, which determines how to compute the contribution of each object.

The available aggregation options are similar to those available in quantity metrics. The difference is that they are not necessarily based on devices, so they can cross device boundaries. For instance, a metric that computes the top 10 users with the highest number of executions aggregates into a single value the number of executions carried out by a same user in different devices. Thus, these are the Aggregate by options of top metrics:

  • sum over the whole timeframe

  • average value per day

  • maximum value per day

  • minimum value per day

As in the case of quantity metrics, not all the aggregation possibilities are available for all top metrics, but only those that make sense.

Grouping by hierarchy

In addition to the group by options that you specify for count and quantity metrics, the system always aggregates the results of all metrics (including top metrics) by hierarchy.

When selecting one group by option in the definition of a count or quantity metric, it is always possible to break down the results by hierarchy and by grouping option, arranging them as the rows and columns (or columns and rows) of a Table widget. If you define two group by options and you select one of them to break down the results by rows or columns in a Table widget, you must select the other option for the columns or rows, respectively. In this case, the option to break down by hierarchy is not available. Nevertheless, choosing to display the total value of the metric or metrics added to the widget (i.e. the Metrics option), instead one of the group by criteria, lets you again choose the hierarchical criterion to arrange the results.

In top metrics, however, there is no group by option and it is not possible to arrange the hierarchy in a Table widget. You can still add display fields to the definition of a top metric to see them arranged in a Table widget.

Hierarchy navigation

For those widgets that do not explicitly break down the results of a metric by hierarchy (KPI, Line charts, and those Table widgets not arranged by hierarchy), use the hierarchy navigation tool of the web interface that is located in the top blue ribbon to explore the results at different levels in the hierarchy. All the widgets in the dashboard adapt their results to the node selected in the hierarchy navigation tool.

The Table widgets that do break down the results by hierarchy divide in fact their results by the nodes placed at the immediately lower level of the node selected in the hierarchy navigation tool (that is, its child nodes).

For instance, consider a dashboard built around the hierarchy of our original example. While viewing the dashboard, if you switch from the Global view to the node CH in the hierarchy navigation tool, all the widgets in the dashboard will display the results limited to the values that they got for Switzerland. In addition, Table widgets arranged by hierarchy will divide their results by the nodes GVA and ZRH, which are the children of the CH node.

Considerations on aggregation along time

As time passes by, the Nexthink solution accumulates data day by day. Every night, the system collects and computes the values of the past day and aggregates the results to the current week, month, and quarter.

However, when switching from a view of the current week to the current month, a counterintuitive situation may occur: the amount of data available for the current month might be less than the amount of data for the current week. This situation may occur when a month boundary has recently been crossed, because a week can overlap over two different months.

Let us explain it with one of our previous examples on quantity metrics. Consider again the metric that counts the number of executions of Finder and suppose that we chose to aggregate by the sum over all devices and the whole timeframe. If you look at the values that we obtained, we had 6 executions of Finder on Monday and 4 executions on Tuesday. Assume now that Monday was April 30, Tuesday was May 1, and it is May 2. Therefore, a month boundary was crossed yesterday.

Date
April 30
May 1
May 2

Week day

Monday

Tuesday

Wednesday

Executions

6

4

N/A

If we navigate to the most recent date available, the result depends on the period selected:

  • Day: 4 executions, corresponding to Tuesday, May 1.

  • Week: 10 executions, corresponding to the 6 on Monday plus the 4 on Tuesday.

  • Month: 4 executions, corresponding to Tuesday, May 1.

That is, the week started before the new month and it is still ongoing, so there are more days available for the current week than for the current month. The value for the week may therefore be bigger than the value for the month.

Last updated