End-Time based reports missing samples issue workaround

Document created by FredD on Sep 2, 2009Last modified by FredD on Sep 4, 2009
Version 2Show Document
  • View in full screen mode

Hello,

 

I often faced an issue while authoring reports that take a function of the End-Time for the X axis and a Sum(aggregatedEventCount) for the Y Axis.


The issue is that whenever NO results were returned for a End_time function sampling period,this End Time sample will not appear in the report. This is a pure conceptual issue, as neither ArcSight/SQL has to  know that I would like to have a 0 if no events occured during a sampling period...

 

I found a solution to mitigate this issue by using some tips retrieved here and that consist in using a sort of "probe" to be sure that all the sampling periods will be present in the report.

 

An example of the ouctome is shown on the picture: In the graph without probe, the hours from 22h to 05h are missing in the graph which gives an unaccurate pespective of the event flow. In the graph with a probe, those sample periods are shown.

 

Attached a .rar wih a package and a document !


Fred

Outcomes