Hourly count of event sources in dashboard

Hi, 

I have events restricted by specific filter that I use for the dashboard. I would like to add another feature showing count of unique event sources (hostnames) per hour. So far I could not identify straight data monitor that would help me out. Is it possible to do somehow for the dashboard at all?

  • The easiest would be to enable Device Monitoring on the Connectors, as this populates statistics per log source in content created under ArcSight Administration, Devices.

    This includes things like activelists etc, which you can query on to create your statistics.

  • Hi, 

    Thank you for the reply. My question is more related to the data monitor type, rather than actual stats. 

    From what I have seen there is no way to present live dashboard based on Active List or some sort of report, and even by enabling the Device Status Monitoring, I cannot find a way to present this info properly. All I need a simple graphic showing count of log sources per hour. 

  • You'll have to create a trend to use for the dashboard or use a query viewer which refreshes every now and then.

    First isolate the data that you at least need for X and Y in the graph.

    In this case it would be timestamp[hour] and deviceHostNames/deviceAddresses (choose one) [Count].

    1. Create the conditions for you query, and isolate the dataset (advise use type=base, deviceVendor!=ArcSight etc..)
    2. Select the dataset you are going to query, Live or Trend or Active List data?
    3. Create a query to select endTime [Hour] and deviceHostName [Count] and test the output in a query viewer.
    4. Validate the data in a query viewer table, if okay proceed with amending the query
    5. Select endTime to Sort on hours in the query and select the amount of rows that you would like to display 
    6. Now create a dashboard by right clicking on the query viewer, select graph and select the fields for X and Y.
    7. Now add it to your dashboard

     

  • Verified Answer

    So I have improved the previous reply a bit. 

    1. Create a query to count unique source addresses for specific connector.

    2. Create a trend that runs this query on an hourly basis

    3. Create a query that pulls the data from the above mentioned trend that pulls data for the required number of hours. 

    4. Create a query viewer that presents this data and add it to the dashboard.