What a week. Found a couple issues with our 5.0 install with varying degrees of critically. One is being fast tracked so will see what we see. While I'm confident they will be addressed, I'm also the type of guy who would just assume they are fixed yesterday. However, I also waited tables in what seems like a past life. I try to be very conscious about blaming the waiter for a burned steak. There is also a bit of thoughtful reflection as I sit here in Chick-fil-A listening to the music and chill'n while the family assault vehicle is getting an oil change across the street. It isn't the music that is causing the reflection (though it certainly can and hopefully will have that effect) as much as I wonder at the possible connection, if any, between this post and these (1 & 2) that talk about ArcSight tentatively looking for a buyer. Only time will tell what the long term effect acquisition will mean.
At any rate, as a short continuation of this "series" here is a quick report taking the concept of the first article with the Trend created from the second. Since you are pulling from this new Trend you can see all the data in one report - when it started, ended, how long it took, insert count, and ultimately if it was successful or not. Unless you enjoy mentally converting milliseconds into minutes I would recommend creating 2 variables that will convert the time to minutes. The first is to divide the milliseconds by 60,000. The next uses the round variable to convert the first variable to the closest whole minute. Is it exact? No, but unless you have a Trend that is bumping up against the hard coded time limitations for Trend query runs does it really matter?
Saturday, August 28, 2010
Sunday, August 15, 2010
Wrapping your arms around ArcSight Trends - Part 2
I ended part 1 of this Trend mini series by giving a quick and dirty way to see when your Trends start. While the report does have value it doesn’t show things like how long the Trend ran, how many insertions there were, or whether or not it was ultimately successful. A report that had all that data would be ideal. The problem, as such, is ArcSight doesn’t show when the Trend actually started in the event generated when the run ends. DeviceCustomDate1 shows the start of that run’s interval though if that is of value to you.
There is a common event key found in all three events (start x1, end x2 based on success or failure) which is found in deviceCustomString5. This appears to be a combination of epoch time + perhaps the number of actions performed by the ESM that day. So now you just need a rule to add the endTime + dCS5 to an active list and reference that list in a rule that looks for a Trend run completion event. Only…..you can’t pull the creation date field from an Active List in an AL lookup variable….and you can’t aggregate on the endTime field in order to add that to a field in an Active List (through 4.5 – dunno about 5.0 yet).
There is a common event key found in all three events (start x1, end x2 based on success or failure) which is found in deviceCustomString5. This appears to be a combination of epoch time + perhaps the number of actions performed by the ESM that day. So now you just need a rule to add the endTime + dCS5 to an active list and reference that list in a rule that looks for a Trend run completion event. Only…..you can’t pull the creation date field from an Active List in an AL lookup variable….and you can’t aggregate on the endTime field in order to add that to a field in an Active List (through 4.5 – dunno about 5.0 yet).
Thursday, August 12, 2010
Wrapping your arms around ArcSight Trends - Part 1
Anyone else’s drive into work getting a little darker? I feel like the summer has FLOWN by. Before too long it will almost be back to a military 0’dark 30 to 0’dark 30 - at least relative to the sun; I'm not working additional hours :)
There are a number of things rattling around in my head I’d like to write about and even some things I indicated I would write about in previous posts. Work, family, summer, and the cumulative lost sleep effects from fighting through some weird sinus issue for the last 6 months have conspired to work against this goal. 60 back pokes and 22 shots in the arm have at least indicated it not being allergies. Good times.
For S&Gs I think this will be the start of a short series of posts/articles/whatever on Trends. My next post may or may not be the continuation lol. If it isn’t I WILL come back to it.
There are a number of things rattling around in my head I’d like to write about and even some things I indicated I would write about in previous posts. Work, family, summer, and the cumulative lost sleep effects from fighting through some weird sinus issue for the last 6 months have conspired to work against this goal. 60 back pokes and 22 shots in the arm have at least indicated it not being allergies. Good times.
For S&Gs I think this will be the start of a short series of posts/articles/whatever on Trends. My next post may or may not be the continuation lol. If it isn’t I WILL come back to it.
Subscribe to:
Posts (Atom)