New Ranks & Badges For The Community!
Notice something different? The ranks and associated badges have gone "Star Fleet". See what they all mean HERE
Highlighted
Absent Member.
Absent Member.
217 views

building a trend to detect devices send "0" events for past week

Hi,

has anyone tried to build anything (trend/active list/rule) to detect or be notified on devices (which SmartConnectors are supposed to be collecting events from) which are not sending events the past entire week?

i have a basic filter built like this:

Device Vendor != ArcSight

selected Hostname, grouped these, and then count the number of event ids, to determine the number of events coming in from each devices.

this worked rather nicely, however, this gives me only a list of devices which sent in at least 1 event in the given time period, and does not give me any visibility on what is not being collected.

how can i tweak this so that it gives me a full list of device hostnames (which i will be able to pre-define, in an active list, perhaps?) including those which are sending "0" events, in the given time period (ie. 1 week)?

Labels (1)
0 Likes
2 Replies
Highlighted
Absent Member.. Absent Member..
Absent Member..

In the slide decks from the 2011 users conference there were at least 2 frameworks for "event flow monitoring" presented. I don't have the URLs but I bet you can search the forum and find them.

0 Likes
Highlighted
Absent Member.
Absent Member.

thanks farridem, thats a good enough pointer. i'll scrub out the slides from protect11 and update here when i found any useful stuff

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.