Highlighted
Commodore
Commodore
859 views

Hourly count of event sources in dashboard

Jump to solution

Hi, 

I have events restricted by specific filter that I use for the dashboard. I would like to add another feature showing count of unique event sources (hostnames) per hour. So far I could not identify straight data monitor that would help me out. Is it possible to do somehow for the dashboard at all?

0 Likes
1 Solution

Accepted Solutions
Highlighted
Commodore
Commodore

So I have improved the previous reply a bit. 

1. Create a query to count unique source addresses for specific connector.

2. Create a trend that runs this query on an hourly basis

3. Create a query that pulls the data from the above mentioned trend that pulls data for the required number of hours. 

4. Create a query viewer that presents this data and add it to the dashboard. 

 

View solution in original post

0 Likes
4 Replies
Highlighted
Fleet Admiral
Fleet Admiral

The easiest would be to enable Device Monitoring on the Connectors, as this populates statistics per log source in content created under ArcSight Administration, Devices.

This includes things like activelists etc, which you can query on to create your statistics.

-----------------------------------------------------------------------------------------
All topics and replies made is based on my personal opinion, viewpoint and experience, it does not represent the viewpoints of MicroFocus.
All replies is based on best effort, and can not be taken as official support replies.
//Marius
0 Likes
Highlighted
Commodore
Commodore

Hi, 

Thank you for the reply. My question is more related to the data monitor type, rather than actual stats. 

From what I have seen there is no way to present live dashboard based on Active List or some sort of report, and even by enabling the Device Status Monitoring, I cannot find a way to present this info properly. All I need a simple graphic showing count of log sources per hour. 

0 Likes
Highlighted
Knowledge Partner Knowledge Partner
Knowledge Partner

You'll have to create a trend to use for the dashboard or use a query viewer which refreshes every now and then.

First isolate the data that you at least need for X and Y in the graph.

In this case it would be timestamp[hour] and deviceHostNames/deviceAddresses (choose one) [Count].

  1. Create the conditions for you query, and isolate the dataset (advise use type=base, deviceVendor!=ArcSight etc..)
  2. Select the dataset you are going to query, Live or Trend or Active List data?
  3. Create a query to select endTime [Hour] and deviceHostName [Count] and test the output in a query viewer.
  4. Validate the data in a query viewer table, if okay proceed with amending the query
  5. Select endTime to Sort on hours in the query and select the amount of rows that you would like to display 
  6. Now create a dashboard by right clicking on the query viewer, select graph and select the fields for X and Y.
  7. Now add it to your dashboard

 

0 Likes
Highlighted
Commodore
Commodore

So I have improved the previous reply a bit. 

1. Create a query to count unique source addresses for specific connector.

2. Create a trend that runs this query on an hourly basis

3. Create a query that pulls the data from the above mentioned trend that pulls data for the required number of hours. 

4. Create a query viewer that presents this data and add it to the dashboard. 

 

View solution in original post

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.