FAQ

Devo is a cloud-based multi-tenant enterprise log management solution designed to handle the most challenging data analytics requirements. Devo collects machine data generated by traditional machine data sources as well as business applications all in real-time to facilitate sophisticated analytics using a single pane of glass. Devo enables organizations to gain insights into their applications, infrastructure, and business systems using built-in applications, real-time dashboards, and alerts. It also provides data analysts and scientists the tools they need to extract valuable and actionable intelligence from petabytes of data.

Devo can be deployed as an on-premises, SaaS-only, or hybrid solution. It all depends on an organization's resources and policies. The SaaS solution offers an excellent value in terms of high-scalability, low operating costs, and limited data management requirements. However, this doesn't work for all companies. Security and privacy policies may dictate that all or part of data storage reside within a company’s internal network. Contact the Devo sales team to find out how Devo can accommodate your company’s needs.

This will vary on a case to case basis dependent on your business needs. However we can get you set up in as quickly as a few days.

We recommend using the latest versions of Google Chrome or Mozilla Firefox.

From the outset, Devo was designed to be easy-to-use and intuitive while also enabling complex and sophisticated tools for data analysis.

It takes just a few sessions for most users to master the basics of navigating the web application, selecting data tables, and building queries. That said, Devo offers training courses that prepare users with what they need to know to get results with Devo right away. Learn more about Devo training services.

Devo can collect and derive analytics from any cloud provider’s operational event data.

Devo can be deployed in both public and private clouds, or in public cloud resources dedicated to a single organization (semi-public).

The Devo SaaS offering is available in multiple AWS, Azure, and Google Cloud Platform regions.

No. Devo is built using a proprietary architecture designed to leverage cloud-scale infrastructure, deliver blazing fast ingest and query performance, and manage petabytes of data.

Devo is not like other solutions that parse and index events as soon as they are delivered to the platform. As data enters the Devo platform it is classified and stored using its associated Devo tag which corresponds to the specific type of data source. Events are stored exactly as they were received by Devo, unchanged. Parsers, which are associated with event tags, are only applied at query time, allowing the platform to adapt to any change in data format without requiring changes to existing data or queries.

No, actually it's much faster. Instead of one enormous index, Devo asynchronously generates many small and lightweight indexes.

Let's say that firewall events make up about 10% of your data repository. When you open a search that calls a firewall table (i.e. a table with a firewall tag like firewall.juniper.traffic), only 10% of the data in the repository needs to be searched to locate and retrieve the associated events.

Devo's agile and intelligent system for indexing data speeds data ingestion and means that your data is stored hot and stays hot for as long as you need it to.

Yes and yes. There are two APIs.

Our REST API enables programmatic access to data stored in Devo, lets you run queries remotely, and either return the results to the requestor or to another repository (like S3, Hadoop, or Kafka). You can also manage jobs - these are the query requests that are actively querying and redirecting the results to another repository.

The Provisioning API is available to carry out actions related to managing a security credentials, users, and some other domain-related attributes. Particularly useful for very large implementations or for resellers.

Any kind of events! Devo can ingest any kind of data that can be stored in text format, this includes application logging events, JSON formatted data, records from relational databases, social media activity, and much, much more.

This depends very much on the event source, its location, and source capabilities. What’s important to understand is that both the Devo relay and Devo itself are designed to receive syslog events.

If an event source lets you assign the correct Devo tag in the source system and is able to establish a secure channel using authenticated TLS over TCP , it can be configured to send events directly to Devo.

This is the case with both Windows and Linux machines as well as many commercial software systems.

However, many sources are unable to meet both of these requirements. In these cases, events can be sent untagged to a Devo Relay that resides within their organization's network. The relay can be configured with a rule that will apply the correct Devo tag, then forward the event to Devo over a secure, encrypted channel.

Data can also be sent to Devo using netflow, an HTTP endpoint, or by simple file upload using the web application.Learn more.

That depends entirely on how much data your events contain and how many events you are sending. In all cases, the Devo Relay compresses data before forwarding it to Devo in order to optimize bandwidth efficiency.

A Devo tag is a special descriptor that needs to be attached to every event sent to the Devo Cloud. The tag tells Devo a couple of important things:

• It identifies the specific event source.
• It dictates to Devo where the event has to be saved in the Devo repository.

Each Devo tag is linked in the platform to a parser that is designed specifically to parse the events with that tag. So when a user selects a data source in the Finder, the associated parser is called to parse the events for display in the search window. The parser determines the column names and data types in the table.

So, you can see that the tag is central to correctly saving, accessing, and parsing the events collected in Devo. Read more about tags or check out the complete list of already supported technologies and their tags.

The lightning-fast answer is yes. In most cases, the difference between the event timestamp (when the event occurred in the source system) and the Devo eventdate (when the event was received by Devo) is measured in milliseconds. And events are immediately available for queries. No waiting.

There are exceptions to this for systems that are specifically configured to send data at intervals. Such configurations are generally due to limitations of the source system, however, and the vast majority of data sources we've set up to send events to Devo are as close to real-time as you could want.

Devo uses standard LINQ which is based upon SQL. Those users comfortable with using query language can use query editors to create and edit their queries.

That said, it is not necessary for all users to master LINQ to use Devo effectively or to build complex, sophisticated queries. Devo was designed to make queries accessible to users of all skill levels. The user-friendly Devo search window displays data in table format and contains a number of interface tools that simplify filtering, data enrichment, grouping, and data aggregation operations. But behind it all is a LINQ query that you can view and edit at any time.

Lots. The aggregate functions available range from the common (like count and average) to the specialized (like unbiased variance and percentiles). Check out the complete list of aggregate functions.

Data enrichment is performed on the fly by selecting the field to be enriched and specifying which source or operation to enrich the data with. Devo comes prepared with dozens of operations you can use to enrich your query data. The product documentation contains a complete list of the standard operations and describes how they are used.

In addition, you have a few other options for adding proprietary static and dynamic lookup data. You can:

• Upload static lookup data in CSV files. For example, a file that associates an email addresses with information like job title, employee ID, and so on. More info.
• Use queries to generate static or dynamic lookups that contains the set of values that appeared in selected fields over a given time period. More info.
• Generate temporary, dynamic collections that contain the set of values that appear in selected fields in a rolling time window. More info.

Users with the necessary permissions, like Admin users, can view a list of the queries currently active in the domain in Data Search - Query Management. Learn more.

Yes. Our REST API gives you the possibility of remotely issuing a query to Devo, then forwarding the results to a different destination (asynchronous response). Currently it’s possible to forward results to Amazon S3, HDFS, or Kafka using the POST/query parameter destination. Learn more.

Yes, as long as the other users have permission to access the data table(s) that feed the query. You can simply copy the query’s LINQ expression and provide it to the other user by email.

Yes. You can easily set up an OData feed so you can pull data from your query in Devo into another external tool like Tableau, Power BI, or Excel. It's really easy and quick to do. Read about it here.

While you may continue to use your external visualization and analysis tools, Devo's Activeboards give you built-in, easy-to-use functions for building a wide variety of charts, maps, and tables for visual, interactive reporting.

You can build a variety of charts and graphs when you are creating or editing Devo dashboards. However, you can also build charts on-the-fly from within the Search window when you’re working with your data. This makes it easy to test your query data and the possible visualizations before adding them to a dashboard.

As many as you need!

Yes, as many as you need. Devo Activeboards can contain several types of charts including geographic maps, Voronoi diagrams, line charts, and many more. Simple controls let you use a single dashboard to view data for current or historic time periods.

Inputs are special controls that you can add to your Activeboards to enable interactivity with the widgets in your board. Learn more about Activeboards.

We strongly recommend TLS over TCP with certificate authentication for channels sending data directly to Devo in a public cloud. Events can also be sent to Devo via a Devo relay installed within the customer’s secure network. The relay sends data to Devo using TLS encrypted with RSA-2048 and SHA256 and using X.509 certificates for authentication.

OAuth tokens are available to secure data sent over HTTP.

Devo provides several types of security credentials to authorize connections with your Devo domain including API key/secrets, X.509 certificates in several standard formats, and OAuth tokens. These are found in the Administration → Credentials area of the web application.

Domain admins can enable up to three levels of authentication for user logins: basic authentication using email/password, multi-factor authentication, and/or SAML single sign-on using Google, Okta, or OneLogin.

Connections are encrypted by SSL certificate using the RSA public-key SHA-2 algorithm.

Yes, Devo uses application roles to control access to application features and resources like shared dashboards, vertical apps, and panels. Roles are cumulative meaning that one user can have multiple roles and their permissions will be the sum the roles they possess.

There are three default roles that cannot be changed:

• Admin - Has access to all application resources.
• Owner - Same as the Admin but there is only one Owner. By default the Owner is the user who created the domain but this role can be re-assigned.
• Owner - Same as the Admin but there is only one Owner. By default the Owner is the user who created the domain but this role can be re-assigned.
• No Privileges - Has very limited access to application features.

In addition to these, you can define as many custom roles as you need to control access to the resources in your domain. Learn more.

Devo maps across NIST 800-53r4 controls, and Devo also complies with SOC2 type 2 requirements, SAS-70 SAE-16 controls, HIPAA HI-TECH, PCI-DSS, and GDPR as both custodian/provider.

In Devo, users access data using a Finder which contains links to virtual data table views. Domain Admin users can create custom finders that provide access only to specific tables and they can create as many custom finders as needed. These finders are then assigned as the default finder for application roles. This means that users will only be able to access data in tables that have been specifically allowed for the application role(s) they possess.

You can also control who can use your custom lookups by restricting them for use with specific tables. If no restrictions are applied to a lookup, it is available for users building queries on any tables in the domain.

Yes, this is possible. Data can be masked in several ways, before it is sent to Devo at the Devo Relay or at query time when data is queried to be displayed. In the latter case, and thanks to Devo’s flexible RBAC, you can configure it such that some users view masked data while privileged users can view the full data. Because Devo always saves data in its raw, unchanged format it is possible to apply masking rules to events at query time, regardless of when they were delivered to Devo. It all comes down to your needs!

Devo comes with predefined alerts that are based on common data sources and you can enable or disable these alerts as you choose. You can browse the list here.

Of course, you can create custom alerts to serve your needs. The first step is to build the query that allows you to identify the conditions that should trigger the alert. Then, using a tool available in the search window, you create the alert by giving it a name, a message, a description, and by defining the trigger method. Once you save the alert, you associate it with a sending policy in the Administration → Alert Configuration area. A sending policy dictates how and to whom the alert message should distributed and also sets calendar parameters that define when alert messages should be sent.

An Alert Dashboard is available to view and manage the alerts triggered most recently in your domain.

There are currently several alert delivery types:

• Email - Send alert information to individuals or groups by email.
• HTTP-JSON - Set up alert messages to be sent over HTTP to any system that can receive data in JSON format.
• Service Desk and Jira - Automatically generate tickets in Service Desk Plus or Jira.
• Pushover - Distribute alerts as mobile broadcast messages.
• PagerDuty - Deliver alert information to a PagerDuty server.
• Slack - Post alert information to a Slack channel.

A single alert can be distributed using one or more delivery types. All triggered alerts appear listed in the Alert Dashboard in the Devo web application.

Devo tailors its pricing to meet the needs of your business, pricing is contingent on both the volume of ingest per day and how your data is deployed and managed. Devo has a tiered pricing model in which discounts are applied based on volume of ingest per day. Schedule a consultation with a Devo consultant to learn more.

Devo bills based on a straight-forward 12-month subscription plan that is based on the average volume of data ingested daily. This is true whether the deployment is SaaS, on-premises, or hybrid. All Devo SaaS subscriptions and licenses include 12 months of encrypted and compressed data storage, and an unlimited number of domain users.

Using the web application's Home page, the domain administrator can easily monitor ingestion rates and clearly identify the data sources responsible for sending the most data to the Devo repository. This way the customer stays in complete control of the amount of data send to Devo. Contact our sales team for more information.

The cloud’s the limit. We don’t put a cap on the amount of data you can ingest per day, it’s dependent upon the resources available for your needs. Devo was designed to be scalable and to grow with your data needs.

Data is compressed at an average 10:1 ratio for excellent storage efficiency and is always hot for fast access. By default data is stored in Devo for one year. If you need to retain data for longer, no problem, just get in touch with your Devo account manager.

The Home area of the Devo web application is designed to give you an up-to-the-minute, visual summary of data ingested and of recent alert activity. Tables and charts in this page tell you:

• Live, inbound data flow in events per second and volume per second.
• The most recently-triggered alerts.
• The top data sources by number of events ingested.
• Total, cumulative storage used by both volume and number of events.
• Daily volume ingested over the last 365 days.

Yes. All Devo subscriptions and licenses include 24x7x365 customer support. Learn more.

Yes. Devo offers a wide variety of professional services including our Quick Start implementation, application development, parser development, data migration and any other custom services to ensure that your company is maximizing the value of the Devo platform. Learn more about Devo professional services here.

Yes, we have a reseller program that allows value added resellers to offer Devo service to their customers. Learn more .