Trend - "Query Parameters" not being honored


*using ESM

We are trying to build a trend which daily records only the events that took place between 8 & 10 AM.

So we used the following settings:

Attributes;Trend Interval : 1 day

Schedule;Daily @ 12:20

Parameters;Query Parameters; Start Time : $Today + 8h

Parameters;Query Parameters; End Time : $Today + 10h

We backfilled the trend table with 8 days. (Occurs Daily every 1 days(s) at 12:20:00. Schedule will start on 1-8-11 0:00:00.)

The Trend;Test shows data for $Now - 1h (which might be as designed..)

Now, the Trend Table fills with events for the whole 24 hour. With the timestamp set at 00:00

Changing to "Attributes;Trend Interval: 1 hour" will change the timestamp to every hour, but will still collect data for the whole day. (not just between 8 & 10 AM)

I do know the parameters from the query are ignored by the Trend. So we did set the "Query Parameters" in the trend properties.

Still this does not seem to do the trick.

As a workaround we could change the filter (to & End Time > $Today + 8h & End Time > $Today + 10h). However that kind of defeats the purpose of the 'Trend;Query Parameters' and would still query the whole day, but filter uot 22 hours of it.

Anyone got any pointers on this?

Thanks in advance,


Re: Trend - "Query Parameters" not being honored

I think query parameters "Start Time" and "End Time" are being ignored (and overriden by the trend interval everytime a trend is run) but the other parameters are honored.

I 'd be glad someone confirms...

Re: Trend - "Query Parameters" not being honored

I can confirm that query parameters in the query are overridden. After performing many tests on daily trends, I realized not only that the this type of trend ignores the Query parameters set in Query Parameters tab, but also creates a confusion around dates of start/end Daylight Saving Time. For example ArcSight is an American product and even if you choose StartTime of trend to be 00:00:00 GMT, it modifies the TimeStamp in trend to 23:00:00 of previous day between 09/03/2014 and 10/03/2014. All this confusion and headaches can be simply avoided with hourly trends scheduled to run outside working hours. On hourly trends, time is easily controlled and TimeStamp can be used with confidence in further queries.

