Big news! The community will be moving to a new platform April 21. Read more.
Big news! The community will be moving to a new platform April 21. Read more.
Knowledge Partner Knowledge Partner
Knowledge Partner
808 views

Empty report when using date range is previous week

Hello

Using 7.4.1.0_2512.

I have a simple report based on the ISO 27002 11.5.1 Use Login
Activities report with the following query:

(xdasreg:0 AND xdasprov:0 AND xdasoutcome:[0 TO 2]) AND ((xdasclass:2
AND (xdasid:0 OR xdasid:4 OR xdasid:5)) AND rv32:OS) AND (evt:"sshd\:
User authenticated")

If I run the report by clicking "Search events" and I select the date
range 2016 Apr 17 00:00:00 to 2016 Apr 24 11:59:59 I get two events.

If I select "Run" on the report and select previous week that gives me
exactly those dates I get an empty report.

If I select "Run" and select "Month to date" I get a bunch of events and
even those two that happened the previous week that were missing from
the previous week report.

The query in the log when I use previous week is:

Fri Apr 29 14:16:08 CEST 2016|INFO|ReportProcessResponseReaderThread:
Report
1|com.novell.reports.jasper.data.AutoDetectingDataProvider.setFullReportQueryString
Full Report Query is: SELECT
dt AS event_parse_time,
evt AS event_name,
pn AS product_name,
sp AS initservicename,
dp AS targetservicename,
sun AS initusername, iuid AS inituserid, iufname AS
inituserfullname, rv35 AS inituserdomain, iudep AS inituserdepartment,
iwfid AS inituserworkforceid, iudep AS inituserdepartment, iemail AS
inituseremail,
dun AS targetusername, tuid AS targetuserid, tufname AS
targetuserfullname, rv45 AS targetuserdomain, tudep AS
targetuserdepartment, twfid AS targetuserworkforceid, temail AS
targetuseremail,ttn AS targetusertrustname, ttid AS targetusertrustid,
shn AS inithostname, rv42 AS inithostdomain, sip AS
init_ip, rv76 AS inithostdepartment,
dhn AS targethostname, rv41 AS targethostdomain, dip AS
target_ip, rv98 AS targethostdepartment, dmac AS targetMAC,
xdasoutcome AS xdasoutcome,xdasoutcomename AS
xdasoutcomename,xdasreg AS xdasreg,xdasprov AS xdasprov,xdasclass AS
xdasclass,xdasid AS xdasid,xdasdetail AS xdasdetail,
SetIfNull(dhn|zzzzzzzzzz) AS
group_by_sortable1,SetIfNull(dip|zzzzzzzzzz) AS
group_by_sortable2,SetIfNull(rv41|zzzzzzzzzz) AS
group_by_sortable3,SetIfNull(rv98|zzzzzzzzzz) AS group_by_sortable4
WHERE
(xdasreg:0 AND xdasprov:0 AND xdasoutcome:[0 TO 2]) AND
((xdasclass:2 AND (xdasid:0 OR xdasid:4 OR xdasid:5)) AND rv32:OS) AND
(evt:"sshd\: User authenticated") OVER 2016-04-17 00:00:00, 2016-04-24
23:59:59 MAXCOUNT=1000


When I use month to date:



Fri Apr 29 14:18:36 CEST 2016|INFO|ReportProcessResponseReaderThread:
Report
2|com.novell.reports.jasper.data.AutoDetectingDataProvider.setFullReportQueryString
Full Report Query is: SELECT
dt AS event_parse_time,
evt AS event_name,
pn AS product_name,
sp AS initservicename,
dp AS targetservicename,
sun AS initusername, iuid AS inituserid, iufname AS
inituserfullname, rv35 AS inituserdomain, iudep AS inituserdepartment,
iwfid AS inituserworkforceid, iudep AS inituserdepartment, iemail AS
inituseremail,
dun AS targetusername, tuid AS targetuserid, tufname AS
targetuserfullname, rv45 AS targetuserdomain, tudep AS
targetuserdepartment, twfid AS targetuserworkforceid, temail AS
targetuseremail,ttn AS targetusertrustname, ttid AS targetusertrustid,
shn AS inithostname, rv42 AS inithostdomain, sip AS
init_ip, rv76 AS inithostdepartment,
dhn AS targethostname, rv41 AS targethostdomain, dip AS
target_ip, rv98 AS targethostdepartment, dmac AS targetMAC,
xdasoutcome AS xdasoutcome,xdasoutcomename AS
xdasoutcomename,xdasreg AS xdasreg,xdasprov AS xdasprov,xdasclass AS
xdasclass,xdasid AS xdasid,xdasdetail AS xdasdetail,
SetIfNull(dhn|zzzzzzzzzz) AS
group_by_sortable1,SetIfNull(dip|zzzzzzzzzz) AS
group_by_sortable2,SetIfNull(rv41|zzzzzzzzzz) AS
group_by_sortable3,SetIfNull(rv98|zzzzzzzzzz) AS group_by_sortable4
WHERE
(xdasreg:0 AND xdasprov:0 AND xdasoutcome:[0 TO 2]) AND
((xdasclass:2 AND (xdasid:0 OR xdasid:4 OR xdasid:5)) AND rv32:OS) AND
(evt:"sshd\: User authenticated") OVER 2016-04-01 00:00:00, 2016-04-29
14:18:36 MAXCOUNT=1000


What am I doing wrong? Why won't my previous week report produce any
events? I would like to schedule the report to run every Monday with the
events from the previous week, that's why I'm asking.
0 Likes
7 Replies
Absent Member.
Absent Member.


Similar issue tracked as part of bug 969156.


--
vrajasekhar
------------------------------------------------------------------------
vrajasekhar's Profile: https://forums.netiq.com/member.php?userid=7871
View this thread: https://forums.netiq.com/showthread.php?t=55795

0 Likes
Absent Member.
Absent Member.

Sorry, on my machine - with version 7.4.1.0_2512 - i can't reproduce this behaviour. No matter if i set the timerange to "Previous Week" or "Custom Date Range" (2016 Apr 24 00:00:00 to 2016 May 1 23:59:59) the number of events is exactly the same ....

Regarding the bug (https://bugzilla.novell.com/show_bug.cgi?id=969156) i get the response "You are not authorized to access bug #969156" :eek:
0 Likes
Cadet 3rd Class
Cadet 3rd Class


Hi,

this is known issue already and netiq created patch for this for us. I
think it will be corrected officially in next release. There problem
occurs when the last day of report time range is empty.

br.
-Kimmo


--
jeromaa
------------------------------------------------------------------------
jeromaa's Profile: https://forums.netiq.com/member.php?userid=9545
View this thread: https://forums.netiq.com/showthread.php?t=55795

0 Likes
Absent Member.
Absent Member.

interessting patching way: why is this patch no officialy release for all sentinel users? Bugfixes should be open to all customers who have a valid sentinel key.
0 Likes
Absent Member.
Absent Member.


Please contact technical support, they should be able to provide a patch
for this. Also, this fix will be rolled into subsequent service pack
release.


--
vrajasekhar
------------------------------------------------------------------------
vrajasekhar's Profile: https://forums.netiq.com/member.php?userid=7871
View this thread: https://forums.netiq.com/showthread.php?t=55795

0 Likes
Absent Member.
Absent Member.

sorry to say:
in my oppinion this is a wrong approach: if I have to check every forum thread to catch every problem and have to ask my support if there is a patch available this is a waste of time.
I can check on a regular base the patch download page (one page!) and see if there are patches waiting - this would be a way to provide it and a kind of service.
0 Likes
Absent Member.
Absent Member.

Now i think i know why i won't be able to reproduce the empty report problem ... the detailed problem is:

Reports are Empty When the Last Day of the Time Range Does Not Contain Events Searched For By That Report

look here: https://www.netiq.com/documentation/sentinel-74/s742_release_notes/data/s742_release_notes.html

Sentinel 7.4 Service Pack 2 is in the repos ... 🙂
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.