Having problems with your account or logging in?
A lot of changes are happening in the community right now. Some may affect you. READ MORE HERE
Highlighted
josh_tonak Super Contributor.
Super Contributor.
877 views

Report event count is actually sum of aggregated count

I don't remember this being an issue on old 5.x versions I've used but I'm on Express 4.0 running CORRE now. If I do a Count(Name) COUNT in a query/report the output is actually the sum of the aggregated event counts from each event. I've verified by running a channel with the same filter and time parameters and manually adding up the aggregated event counts. The numbers match. If I remember right, the only way to get that was to add a SELECT item in the report to SUM(Aggregated event count). The straight count should just give me the number of events. I have to calculate storage used but the aggregated sum is going to be way off than what's actually stored in the db. I found this thread, it was similar but not exactly the issue here. I've attached images of the channel and query parameters. The numbers should match. Is there a setting in server properties or something that could fix this?

Labels (3)
0 Likes
2 Replies
josh_tonak Super Contributor.
Super Contributor.

Re: Report event count is actually sum of aggregated count

So if I select Distinct Rows in the query it gives me the correct count of events that match what a channel gives me. I thought that was just so there weren't duplicate rows in the results but it sounds like it's ignoring duplicate (aggregate) entries in the DB.

So this poses another question, if the event is aggregated by the connector, is it actually storing those duplicate events in the database or just counting them up? If my aggregated event count is 30 on an event, are there 30 entries in the DB taking up space or is there one?

0 Likes
rhope Acclaimed Contributor.
Acclaimed Contributor.

Re: Report event count is actually sum of aggregated count

It just stores the count. The behaviour you describe above doesn't make sense from a traditional relational database perspective, but makes sense if you think about it as the occurrence of events. 13 drops on a firewall is actually 13 separate events, just that we tell the connector to only send us one notification of those events happening (with the desired matching fields etc). When you say to ArcSight 'give me a count of the events that match these parameters' it totals the aggregated event count (there were actually 13 drops in the firewall)

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.