Community in read only mode June 18 & 19
This community will be set in READ ONLY mode for a while on Tuesday June 18 into Wednesday June 19 while we import content and users from our Micro Focus Forums community site. MORE INFORMATION

ESM Best Practices: Trends

ESM Best Practices: Trends

03/31/2017 - Minor update to change URLs to HPE.

05/24/2016 - Initial upload. You have defined trends. Find out how to make your trends more efficient.

Labels (2)

DISCLAIMER:

Some content on Community Tips & Information pages is not officially supported by Micro Focus. Please refer to our Terms of Use for more detail.
Comments

Brilliant!

Very well-written. Helped our team a lot!

It might be worth noting here that if you use the "Verify Rule(s) with Events" function within the ArcSight console it's possible that you'll skew your trend data. I had issues where my trend found data that my team never saw hit their work queue. Digging deeper into this, Active Channels have a session id back end filter that isn't visible and the reporting engine does not. When you verify rules, it's writing real rule fires into the database with a session id > 0 that a query is able to find. You can match the filter by adding "NOT session id > 0" as a condition in the query to avoid pulling any of these events into event trends.

Worth noting this as a tip / trick if anyone is tracking all production alert data and also testing production alerts before deploying to real-time.

Hi,

nice catch I had same issue with queries therefore also reports can be affected by this. Also search in command center can find result from rules testing.

To prevent this you can use following filter as part of your query or command center search:

  • Session ID = 0  -  this will match correlated events created by real-time rules

OR

  • Session ID is null  -  this will match base events

Cheers!

Lukas

Top Contributors
Version history
Revision #:
8 of 8
Last update:
‎2018-04-13 17:41
Updated by:
 
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.