tkachouba Trusted Contributor.
Trusted Contributor.

Re: Event Annotation

Thinking out loud here:

What about a Trend Query looking for the condition: Event Annotation IS NOT NULL.  When the the trend runs, set the action to add to an Active List.  It would add the event details to an active list with the Key Field being the Event ID.  This could include the event name, annotated by user, event stage, ect.  It wouldn't necessarily be real time but the trend could be set to run every 15 minutes.  Queries and Query Viewers could be designed to display the last X events annotated in a Dashboard.

If there were audit events on event annotations it would make it much simpler to be able to create a rule to track changes/updates that way in real time.

Thoughts?

0 Likes
tkachouba Trusted Contributor.
Trusted Contributor.

Re: Event Annotation

Or use the Query/Query Views/Dashboard option that ​ recommended if you don't want to use the trend option.

0 Likes
matthew.scott1
Visitor.

Re: Event Annotation

We were using query viewers originally but we ran into an issue where a connector went down and when it came back up it dumped 1.6Billion events into the ESM.  By dumping all that data, it basically crashed the query viewers as they have a limit of 5 mins to query the data.  If it takes longer than 5 mins it crashes and gives an error.  So our soc ended up being blind not being able to see alerts.  Plus if you have 10 people all with the dashboard up with multiple query viewers they are all refreshing and querying at different times and it can be taxing on the system.   I will look into solution to see if it is viable in our environment.

0 Likes
scott.johnson@m Trusted Contributor.
Trusted Contributor.

Re: Event Annotation

Thanks for replying Taras, I was looking for something more real time.  We have an active channel that takes forever to load.  When you have multiple analysts accessing it, the ESM tends to bog down.  I was hoping to create a data monitor that would allow the analyst to see the event, then do further investigation.  When they do their event annotation, I was hoping that the data monitor would pick it up so the analyst would know that it was already being worked.  I think the way I need to approach it is with the stages function.  Thanks again for replying.

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.