Wrapping your arms around Trends: Part 3 (with a side dish of custom parameters)

What a week. Found a couple issues with our 5.0 install with varying degrees of critically. One is being fast tracked so will see what we see. While I'm confident they will be addressed, I'm also the type of guy who would just assume they are fixed yesterday. However, I also waited tables in what seems like a past life. I try to be very conscious about blaming the waiter for a burned steak. There is also a bit of thoughtful reflection as I sit here in Chick-fil-A listening to the music and chill'n while the family assault vehicle is getting an oil change across the street. It isn't the music that is causing the reflection (though it certainly can and hopefully will have that effect) as much as I wonder at the possible connection, if any, between this post and these (1 & 2) that talk about ArcSight tentatively looking for a buyer. Only time will tell what the long term effect acquisition will mean.

At any rate, as a short continuation of this "series" here is a quick report taking the concept of the first article with the Trend created from the second. Since you are pulling from this new Trend you can see all the data in one report - when it started, ended, how long it took, insert count, and ultimately if it was successful or not. Unless you enjoy mentally converting milliseconds into minutes I would recommend creating 2 variables that will convert the time to minutes. The first is to divide the milliseconds by 60,000. The next uses the round variable to convert the first variable to the closest whole minute. Is it exact? No, but unless you have a Trend that is bumping up against the hard coded time limitations for Trend query runs does it really matter?

The next thing you can do is something that I don't think is documented very well and I only discovered it through a couple different threads on the ArcSight Protect 724 boards. What I'm talking about is conditional variables and through them you can set a few things at run time for your report. I'm not an expert in this area so I don't know all the different tricks you might be able to pull off. Maybe someone will post a few things they have done. The first step is to figure out which field(s) you want to be able to configure on the fly. For starters let's just chose the Trend name field. Select the field you want in the conditions tab and instead of an actual Trend name put in an "@" and then a place holder type variable name.To make this more....manager...proof I recommend using the LIKE operator and ignoring case.

Once the query is set, move over to the report parameter tab. Note that reports can be squirrely when you create them and add things like parameters. I have gotten into the habit of creating the report, closing it, and then opening it back up. Similarly if I am adjusting a report's base query I tend to close the report, especially if it has a chart. Anyway, so you are at the parameter tab. At the bottom uncheck the check box for using the default value for this variable.

Just above that portion of the tab you will see an "add" button. Click that and associate a name that will be seen at runtime with this particular field.

Once done you will see the custom parameter name under the usual custom parameters of start and end time. This is where using the LIKE operator comes in handy. You can populate the default value of this parameter; in this case use a percent sign. As a wild card the report will now, by default, return all results. It also can act as a reminder to your users on what can be done in this field.

The last thing to talk about is since this is a custom parameter now you can use a velocity macro to reference the value you have entered and have it show up on your report. Move over to the report template tab (on the report itself, not the left pane resource tab). Under text attributes select some field like table title. The format is "$Custom.". In this case I would put in "$Custom.Trend_Name". If you haven't already played around with this you can do things like $Custom.StartTime or .EndTime to give a date range. Remember this is case sensitive. Look at the default templates as well as there is a brief if/else velocity macro that might inspire you.

As mentioned, I would be interested in cool things people have done either with Trend monitoring or conditional parameters.