The Unified Inventory is a list of all identified devices from all configured sources as long as the device has been active in at least one source in the last 30 days.
This page describes the what and how; if you're interested in the why, refer to our introductory blog post on the Sevco website: Introducing Sevco Unified Inventory.
Italicized terms are important definitions of key system concepts.
Inventory processing has four stages:
Sources are technology you own and use to manage your devices, like your endpoint agents or directory services. A configured Sevco Source communicates with your sources to fetch its currently known source devices and send them through the Sevco Inventory Processing Pipeline. In general, we fetch inventory from all sources every hour. See Manage Sevco Integrations for more information.
Source devices require three pre-processing steps: normalization, identification, and stale filtering:
- Normalization is the process of making consistent attribute names, so (for example) attributes named
ipcan be referred to the same way.
- Identification is an initial filter to ensure there is at least one identifiable attribute that can be used to correlate with other sources.
- Stale Filtering removes any device whose last activity time is greater than 30 days.
Every normalized, identified, and active source device is sent to the Asset Telemetry pipeline. See Asset Telemetry Overview for more information.
In parallel, every normalized, identified, and active source device is sent to the Correlation Engine to be correlated to devices from other sources using the available identifiable attributes. Post-correlation, it becomes an aggregated device.
- A source device is a device reported by a source.
- An active, identified source device is a source device with at least one identifiable attribute with activity within the last 30 days.
- An aggregate device is the representation of one or more source devices with matching identifiable attributes.
Each source has particular nuances, not only in its configuration, but also in the data available. Per-source details are documented in Sevco Integrations.
There are two considerations that impact inventory processing and that apply to all sources: source category and last activity time.
There are two categories of sources:
- Direct: These are imported from the actively managed sources in the IT Asset Lifecycle, such as Active Directory or an endpoint agent. These systems report the direct inventory of systems.
- Inferred: These are systems that log any device activity or any device observation that implies the existence of a device, but is an indirect measure. Examples include DHCP, ARP Caches, or network scanners.
As described above, during source preprocessing, we remove stale devices from inventory sources. This ensures that the source totals, and thus the overall device totals, are an accurate representation of active devices in the enterprise.
The last activity time varies by source category. For direct sources, it is the time of last communication: these sources are client/server models where software on an endpoint "checks in" to a server. The "time of last checkin" is a commonly available device attribute. For inferred sources, it is the time of the most recent activity observation. For a network scanner, it is the time the scan was run. For an ARP cache, it's the time the entry was observed in the cache.
The Unified Inventory page is a list of all aggregate devices. For each aggregate device, it presents the sources in which the aggregate was observed and the last activity time per source. The aggregate's last activity is the most recent source activity time. The aggregate and all previously observed sources remain in the inventory as long as there is at least once source active.
Updated about 1 month ago