Create a dashboard by using fields from logs

You want to create a dashboard in BMC Helix Dashboards by using the fields that are present in the logs. For example, consider the following logs. You want to create a dashboard that shows how many times a phishing IP address has attacked your network.

[22-09-2022 13:46:04.372:1/ 10.42.70.174 ERROR root GET 501 Service not available. Please contact administrator

Here is an overview of steps to perform to create a dashboard:

Dashboard_usecase_processflow.jpg

Step 1: Identify the fields to use in a dashboard

Start by identifying the fields that you want to use in the dashboard. These fields can be present in the logs or you can add those. Sometimes, those fields are present in the message field. In that case, extract the field.

If you want to add a field to the logs, configure the enrichment sources and enrichment policies.

In the example, we want to show the fields ipAddress and count on the dashboard.

Step 2: Set up field extraction

In the logs, the ipAddress field is present inside the message field. To use the ipAddress field on a dashboard, extract the field by configuring a field extraction policy. For more information, see Extracting-fields.

Field_extraction_for_dashboard.jpg

Step 3: Set up enrichment

From the logs, it is not clear if an IP address is a phishing IP address or not. To check that, enrich the logs by using a CSV file. We have added the following fields to the logs:

  • Attack origin company
  • Phishing flag

To enrich the logs, configure enrichment source and enrichment policy as shown in the example that follows. For more information, see Enriching-logs.

Enrichment_for_Dashboards.jpg

Step 4: View the collected logs

Now, view the collected logs and ensure that the collected logs are enriched and the ipAddress field is extracted from the message field. To view the collected logs, go to the Explorer tab.

CollectedLogs.jpg

Step 5: Add a dashboard or panel

You can either create a new dashboard or use an existing dashboard and add a panel to it. To add a new panel for this use case, use the query as shown in the image. For more information, see Setting up dashboards.

dashboard_panel_query.jpg

Step 6: View the dashboard

Let's save the panel and view the dashboard. In the bar chart, the IP addresses for which the phishing flag is set as yes and the number of times they have attacked your network are shown.

Dashboardpanel_in_dashboard.jpg

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*