scott.johnson@m Trusted Contributor.
Trusted Contributor.
1458 views

Event Annotation

Is it possible to populate an event annotation field in a data monitor running in a dashboard?

Thanks in advance!!

Scott

Labels (1)
0 Likes
15 Replies
michael.lumsden Absent Member.
Absent Member.

Re: Event Annotation

Hello Scott,

Unfortunately, data monitors do not allow a user to annotate events.  If you need to do this, you can use the Event Context function (via Right-click -> Investigate -> Event Context Channel).  Then, within the Active Channel, you can annotate the event as normal.

DataMonitorEventContextChannel.png

If you feel having the feature of annotating directly in the dashboard/data monitor is critical, contact your sales representative to report a Feature Request enhancement on your behalf.  Or, alternatively, we can discuss this use-case and requirement further and I can then file the Feature Request on your behalf.

Thanks and Regards,

Michael Lumsden

ESM Product Manager

0 Likes
Gayan Acclaimed Contributor.
Acclaimed Contributor.

Re: Event Annotation

Hi Scott,

No you can not annotate events in the data monitors.

Cheers

gayan

Mr
0 Likes
scott.johnson@m Trusted Contributor.
Trusted Contributor.

Re: Event Annotation

Michael-

Thanks for your response.  I am not necessarily looking to do the event annotation from the data monitor.  What I would like to see is the event annotation populated in a data monitor after it has been changed in an active channel.  Is there a way to do this?

Thanks

Scott

0 Likes
michael.lumsden Absent Member.
Absent Member.

Re: Event Annotation

Hey Scott!

Yes that is actually possible.  I have a "Last N Events" DM in the following screen shot, and I simply selected the Annotation Stage Name in the list of fields displayed - then I am able to see it in the table.

EventAnnotationStageNameOnDashboardDM.png

Is this what you are asking for?  If so, I believe we already have this capability today.  If you are struggling to get that to work, feel free to let me know and I will try to see if I can help you achieve your goal.  Otherwise, if it exceeds my knowledge and expertise, I can check with others internally.

Thanks and Regards,

Michael Lumsden

ESM Product Manager

0 Likes
tomas.prokes1 Trusted Contributor.
Trusted Contributor.

Re: Event Annotation

Hi,

When I try to use the "Event Context function" in any DataMonitor, I get ActiveChannel based (only) on "Non-ArcSight Internal Events". As there are thousands of events in such ActiveChannel, it is impossible to find the desired event. to anotate it. I suppose that this is not the way it works in your system. Can you give me an advice how to find the problem please?

Tomáš Prokeš

0 Likes
scott.johnson@m Trusted Contributor.
Trusted Contributor.

Re: Event Annotation

Michael-

I don't have a problem with getting the field into a Last N events data monitor.  The issue that we have is when an analyst modifies the event annotation field in an active channel, it doesn't update the event annotation field in the Last N events data monitor.  So to summarize, the event is already listed in the Last N data monitor and active channel.  When the analyst modifies the event annotation field in the active channel, the event annotation field doesn't change in the Last N events data monitor.

We are currently running ESM 6.8

Thanks again for your help.  I really do appreciate it!!!

Regards,

Scott

0 Likes
michael.lumsden Absent Member.
Absent Member.

Re: Event Annotation

Scott,

Thanks for clarifying the problem.  I have filed a new bug on your behalf.  The tracking identifier for it is NGS-22360.

I cannot promise when this item will be addressed, but I can promise it will undergo triage after the holiday break (so it will get analyzed).  From there, depending on other priorities, we may be able to include it in a planned release.

Thanks again,

Michael Lumsden

ESM Product Manager

0 Likes
scott.johnson@m Trusted Contributor.
Trusted Contributor.

Re: Event Annotation

Thanks Michael!!!  Hopefully I will hear from you soon.

Happy Holiday's!!!!

0 Likes
matthew.scott1
Visitor.

Re: Event Annotation

Hi Michael,

I am looking to do the same thing, how do I look at the progress of NGS-22360? 

Thanks,

Matt

0 Likes
michael.lumsden Absent Member.
Absent Member.

Re: Event Annotation

Hello Matthew,

The bug is scheduled to be triaged this week.  It has not yet been dispositioned/investigated by R&D.  I can also add your company to the bug as well as an interested party.  The more companies requesting this, the higher profile the bug will have relative to others.  To track progress of bugs and feature requests, you can either contact Support or your Sales representative and they can directly access our bug tracking system to provide you an update.

If you do want me to add you to the bug, please tell me your company name and I will do so.

Thanks and Regards,

Michael Lumsden

ESM Product Manager

0 Likes
michael.lumsden Absent Member.
Absent Member.

Re: Event Annotation

Hello Everyone,

The bug has undergone a triage.  The discussion identified this as a design issue with the way Data Monitors work.  In a nutshell, Data Monitors see events as they flow in for the first time, but have no mechanism to monitor for changes in the fields of events once they are seen.  Note that Stage is essentially the only "event field" that changes at all from the initially-received value.

As a workaround, you could create a Query Viewer to show you a similar dataset and add that to a Dashboard.  Then, the Query Viewer would pick up the changes to the Stage when it re-queries the database.

The triage team decided this issue should be clarified in the documentation only.

Regards,

Michael Lumsden

ESM Product Manager

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.