Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Daily license usage summary

This panel shows three different metrics calculated using data registered during the last 30 days:

  • Average daily ingestion: the amount of data ingested in your domain.License entitlement: the total amount of data your domain can ingest

Code Block
from siem.logtrust.collector.counter 
where kind = "technology" 
group every 1h 
select sum(bytes) as bytes
select formatdate(eventdate, "YY-MM-DD") as date_str
select parsedate(date_str, "YY-MM-DD") as date_timestamp
group by date_timestamp
select sum(bytes) as bytes
group 
select avg(bytes) as avg_bytes 
  • License entitlement: the ingestion volume contracted.

  • Difference: the remaining amount of data still available to ingest, which appears in green when more can be ingested and red when the limit license entitlement has been exceeded. This value is merely informative, meaning that the daily ingestion can be exceeded occasionally as long as the monthly average is below the limitentitlement.

Live ingestion stats

This panel shows two different metrics calculated using data registered during the selected period. You can use the dropdown at the top right of the widget to choose between 1 minute, 5 minutes, 1 hour, or 1 day.

  • Events per second

Code Block
from siem.logtrust.collector.counter 
where kind = "technology" 
group every 1m 
select sum(events)/60 as EPS 
group 
select round(avg(EPS)) as avg_EPS
  • Bandwidth per second

Code Block
from siem.logtrust.collector.counter  
where kind = "technology" 
group every 1m 
select sum(bytes)/60 as bps 
group 
select round(avg(bps)) as avg_bps

Number of events

In this section you can find the total number of events received during the last 24 hours, represented as a line chart. This widget is interactive and allows you to:

  • Zoom in on a specific section to visualize it better → click and drag on the chart and click reset zoom at the top right to restore the original view.

  • See tooltip with the value of a specific moment in time → hover over a specific point on the chart.

...

Code Block
from siem.logtrust.collector.counter 
where kind = "technology" 
group every 5m 
select sum(events) as events_per_day

Ingestion volume

In this section you can find the volume of the events received for each data table during the last 30 days, represented as a stacked column chart. You can also see a green line that indicates the average volume and, when your license entitlement has been exceeded, a red line that indicates what your license entitlement is. This widget is interactive and allows you to:

  • Zoom in on a specific section to visualize it better → click and drag on the chart and click reset zoom at the top right to restore the original view.

  • Highlight a specific table on the chart → hover over the table name within the legend on the right side of the chart and the rest of the tables will be dimmed.

  • Hide a specific table you’re not interested in → click on the table name within the legend on the right side of the chart and its name will be grayed out on the legend while hidden on the chart. Click it again to get it back.

  • See a tooltip with the values of a specific day → hover over a column and a tooltip will reveal the values for each table during that day and the percentage they represent from the total.

...

Code Block
from siem.logtrust.collector.counter
where kind="technology"
select ifthenelse(length(object)<30, object, substring(object, 0, 30)+"...") as technology 
group every 1h by technology
select sum(bytes) as bytes
select formatdate(eventdate, "YY-MM-DD") as date_str
select parsedate(date_str, "YY-MM-DD") as date_timestamp
group by date_timestamp, technology
select sum(bytes) as bytes

Ingestion by technology

In this section you can find the volume of the events received for each technology during the last 7 days, represented as a Voronoi chart. This widget is interactive and allows you to:

  • Zoom in on a specific section to visualize it better → scroll up and down while holding the

    Status
    titlectrl
    key to zoom in or out.

  • Drill down to visualize the different brands for each technology and the different types for each brand → double-click on a cell to drill down one level and double-click once again for a subsequent level. Double-right-click to go back one level or press the

    Status
    titleesc
    key reset the view to the upper level.

  • See a tooltip with the value of a specific technology, brand, or type → hover over a cell and a tooltip will reveal the values for and the percentage they represent from the total.

...

Code Block
from siem.logtrust.collector.counter
where kind = "technology"
group by object
select sum(bytes) as sum
select split(object, ".", 0) as tech, split(object, ".", 1) as subtech

Total daily volume

In this section you can find the volume of the events received each day during the last 12 months, represented as a calendar heatmap. In this chart, each cell represents a different day and the color scale used to paint cells is calculated dynamically using the lowest and highest volumees in the year as reference values. This widget is interactive and allows you to:

  • See a tooltip with the values of a specific day → hover over a cell and a tooltip will reveal the date and the corresponding value.

  • Highlight cells of the same color on the chart → hover over a color point on the legend at the bottom to see the days that correspond to that specific color.

...

Code Block
from siem.logtrust.collector.counter
where kind="technology"
group every 1h
select sum(bytes) as bytes
select formatdate(eventdate, "YY-MM-DD") as date_str
select parsedate(date_str, "YY-MM-DD") as date_timestamp
group by date_timestamp
select sum(bytes) as bytes_per_day