×
 
 
  •  
$helper.renderConfluenceMacro('{bmc-global-announcement:$space.key}')
BMC Defender SIEM Correlation Server 6.2 ... Getting started BMC Defender Audit Report facility

Parse report

(SPE2310) Open link

Parse reports allow users to easily configure reports that contain information from a thread, parsed into fields for easy reading. 

To add a new parse report, navigate to the Reports > Audit > Parse Reports tab, and click AddNew. On the AddNew screen, specify a report name and thread containing data to parse. Then click Config to configure parse specifications in a manner similar to Pivot Reports.

The report generator runs at midnight or you can run it on demand by clicking Generate Report Database. You can view the report data in HTML, CSV, text, and PDF format.

Related topic

BMC Defender Audit Report facility

Description of inputs

The parse report is configured by clicking AddNew or Edit to modify the report settings. This opens a standard dialog containing the following fields:

FieldDescription
Report Title

Title of the report that appears on the top-level screen. This is an arbitrary title of fewer than 72 characters. The title cannot contain any special characters or punctuation marks.

Report Data Source

This select menu lists the various threads on the system. A valid thread (containing messages that will be parsed) must be specified here.

Specify Message Parsing Rules Option

This option must be clicked to specify the parsing rules of the report. When the option is clicked, the current screen values are saved, and the operator is presented with a screen that permits the various parse rules of the system (up to eight different parse rules) to be configured.

Additional Match Expr

This field is an optional match pattern that can be used to qualify the data contained in the Report Data Source selected previously. 

For example, to further reduce the data in the report, you can parse, match, and report on just the messages that contain a certain keyword or match expression.

Report Span Days

(SPE2401) Open link To report on data spanning multiple days, enter a value from 1 to 500.

(Before SPE2401) This select menu permits the operator to report on data spanning more than one day. (SPE2304) Open link To meet compliance requirements, you can set the span days to a week (7-Days), a month (31-Days), or an year (365-Days).

The value is mainly useful if the selected data source contains only a few 100,000 records or so. If the value is set too high, then the Scan Match Data Records value (described later in this topic) generally limits the number of records reported on. 

Important

Setting this value to a high number can dramatically increase the time to generate the report data. 

Require Field Count

This select menu controls the number of empty columns in the report for any data record. This option prevents a report from containing many blank and uninteresting column values.

Example

If Require-2 is specified, then at least two parse expressions must match a particular line in the data source; if Require-All is specified, then all parse specifications configured using Config must match the data record for the record to be included in the report. 

Scan Max Data Records

This value is the maximum number of records in the data selected data source that are scanned when the report is generated. The value prevents the report generator from taking too long to generate a report. If the Scan Max Data Records is met then the report finishes. (See the additional notes later in this topic.)

De-Duplicate Messages

This value de-duplicates the records of the report.

This value is particularly useful when reporting on values without selecting a date and time field in the report so that you can, for example, determine user names, processes, and locations (but not the time of a particular message).

Important

If the date and time of the message is one of the parsed values, then this function leaves values in the report if duplicate values (other than the date and time) are encountered. 

Max Output Records

This value is the maximum number of records in the data selected data source that are output. If Max Output Records is met, then the report finishes. This value is generally the same as the Max Scan Data Records if De-duplicate Messages are false. (See the additional notes later in this topic.)

Important

This value is generally low (by default 2500 messages) to make the rendering of HTML and PDF reports manageable. 

Additional notes

The report gathers data until the Span Days setting is specified or the Scan Max Data Records count is reached or the Max Output Records is reached. 

Important

If De-Duplicate is set to false, then the Max Output Records value is generally the limiting parameter.

After you modify any configuration item, click Generate Report Database to regenerate the report.

After the report is generated (either manually, or at midnight) the operator can view the report, or download HTML, PDF, or other types of reports. These reports depict the data in the report viewer including any data filtered using the Match keyword at the top of the viewer. Therefore, prior to downloading a report, the operator can select certain records in the report that are of special interest.

The operator can configure the E-Mail facility to automatically e-mail any parse report at a scheduled interval, as with other Audit type reports. 

Important

This reporting facility is quite flexible, but might require good understanding of the Server Parse Expressions.

Was this page helpful? Yes No Submitting... Thank you
Last modified by Rahul Hari Harikumar on Oct 27, 2023
spe2310 spe2401

Comments

Log in or register to comment.

Mapping of GDPR categories to EU legislation
Pivot reports
© Copyright 2013–2024 BMC Software, Inc.
Legal notices

Powered by Atlassian Confluence and Scroll Viewport

© Copyright 2005-2024 BMC Software, Inc. Use of this site signifies your acceptance of BMC’s Terms of Use . BMC, the BMC logo, and other BMC marks are assets of BMC Software, Inc. These trademarks are registered and may be registered in the U.S. and in other countries.