Highlighted
Absent Member.
Absent Member.
863 views

Logger Reporting - Looking for report to check the Archive success/Failed,

Jump to solution

Hi,

I am looking for report in logger that tell whether daily archive have completed with the status (Success/Failure).

I am aware there are Archive Audit event mentioned below I can get the result in search.

deviceEventClassID: Logger:525 --archived and Logger:528-Failed.

I Have build query for the report.

Below is my query I am trying,

select events.arc_name"Name",

events.arc_startTime"StartTime",

events.arc_message"Message",

events.arc_endTime"EndTime",

events.arc_filename"FileName"

FROM events

Where events.deviceEventCategory = '/Resource/Archive/Archive'

GROUP BY events.arc_endTime, events.arc_name

ORDER BY events.arc_endTime

I ran this query Connection on (parent) Database but I don't see any results in the table, Table is empty,

then I tried adding in my where clause for the above query to check whether I can get data for last 2 days but could not get any result:

select events.arc_name"Name",

events.arc_startTime"StartTime",

events.arc_message"Message",

events.arc_endTime"EndTime",

events.arc_filename"FileName"

FROM events

WHERE events.deviceEventCategory = '/Resource/Archive/Archive' AND events.arc_endTime BETWEEN 'systemdate()-2 AND 'systemdate()'

GROUP BY events.arc_endTime, events.arc_name

ORDER BY events.arc_endTime

myquery:

1. is my above query correct? or I'm missing something.

2. Do I need to run on the Events table or there is someother table which stores ArcSight Internal Events if yes, what is the tablename.

please help me if anyone has done this kind of report!!!

Thanks in advance!!!

Labels (4)
0 Likes
1 Solution

Accepted Solutions
Highlighted
Absent Member.
Absent Member.

HI Michal,

Thanks for the response with the details, Actually it was typo mistake when posting in this form I had not included arc_ in where, but I had this in WHERE clause .

Finally I got result with report, and query used query is as below:

SELECT

    events.arc_name"Name",

    events.arc_startTime"StartTime",

    events.arc_message"Message",

    events.arc_endTime"EndTime",

    events.arc_filename"FileName"

FROM

    events

WHERE

    events.arc_deviceEventClassId = 'logger:525'

ORDER BY

    events.arc_endTime

Next step:

Click Data Source and in Properties tab, select StartTime and change Date Format to include hours, minutes etc. Do the same for EndTime

Save the query.

Create new report and on Data Source tab - add created query as Query Object.

included all fields in Select Display Fields tab!!!

Saved the report.

Ran the report with appropriate time range and selected only Internal Event Storage Group.

Problem with my earlier query was:

when I ran search in logger with deviceEventCategory = '/Resource/Archive/Archive' there was no results, cross checked with value field '/Resource/Archive/Archive' but this was not a valid parameter, tried with deviceEventClassId='

/Logger/Resource/Archive/Configuration/Archive' as per the Logger Guide (cat ='

/Logger/Resource/Archive/Configuration/Archive') but this parameter was also not present. lastly tried with deviceEventClassId= "logger:525" and got the result

View solution in original post

0 Likes
2 Replies
Highlighted
Super Contributor.
Super Contributor.

Hi Akshay,

1) Create new Query with following:


SELECT

    events.arc_name"Name",

    events.arc_startTime"StartTime",

    events.arc_message"Message",

    events.arc_endTime"EndTime",

    events.arc_filename"FileName"

FROM

    events

WHERE

    events.arc_deviceEventCategory = '/Resource/Archive/Archive'

GROUP BY

    events.arc_endTime, events.arc_name

ORDER BY

    events.arc_endTime

You forgot to type "arc_" in WHERE before deviceEventCategory.

2) (Optionally) Click Data Source and in Properties tab, select StartTime and change Date Format to include hours, minutes etc. Do the same for EndTime.

3) Save the query.

4) Create new report and on Data Source tab - add created query as Query Object.

5) Don't forget to include all fields in Select Display Fields tab!!!

6) Save the report.

7) Run the report with appropriate time range and you can select only Internal Event Storage Group to gain performance.

This way it works for me on Logger 6.1.

Hope it helps...

Michal

0 Likes
Highlighted
Absent Member.
Absent Member.

HI Michal,

Thanks for the response with the details, Actually it was typo mistake when posting in this form I had not included arc_ in where, but I had this in WHERE clause .

Finally I got result with report, and query used query is as below:

SELECT

    events.arc_name"Name",

    events.arc_startTime"StartTime",

    events.arc_message"Message",

    events.arc_endTime"EndTime",

    events.arc_filename"FileName"

FROM

    events

WHERE

    events.arc_deviceEventClassId = 'logger:525'

ORDER BY

    events.arc_endTime

Next step:

Click Data Source and in Properties tab, select StartTime and change Date Format to include hours, minutes etc. Do the same for EndTime

Save the query.

Create new report and on Data Source tab - add created query as Query Object.

included all fields in Select Display Fields tab!!!

Saved the report.

Ran the report with appropriate time range and selected only Internal Event Storage Group.

Problem with my earlier query was:

when I ran search in logger with deviceEventCategory = '/Resource/Archive/Archive' there was no results, cross checked with value field '/Resource/Archive/Archive' but this was not a valid parameter, tried with deviceEventClassId='

/Logger/Resource/Archive/Configuration/Archive' as per the Logger Guide (cat ='

/Logger/Resource/Archive/Configuration/Archive') but this parameter was also not present. lastly tried with deviceEventClassId= "logger:525" and got the result

View solution in original post

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.