Create a dashboard by using fields from logs
You want to create a dashboard in BMC Helix Dashboards by using the fields that are present in the logs. For example, consider the following logs. You want to create a dashboard that shows how many times a phishing IP address has attacked your network.
[22-09-2022 13:46:04.372:1/ 10.42.70.174 ERROR root GET 501 Service not available. Please contact administrator
Here is an overview of steps to perform to create a dashboard:
Step 1: Identify the fields to use in a dashboard
Start by identifying the fields that you want to use in the dashboard. These fields can be present in the logs or you can add those. Sometimes, those fields are present in the message field. In that case, extract the field.
If you want to add a field to the logs, configure the enrichment sources and enrichment policies.
In the example, we want to show the fields ipAddress and count on the dashboard.
Step 2: Set up field extraction
In the logs, the ipAddress field is present inside the message field. To use the ipAddress field on a dashboard, extract the field by configuring a field extraction policy. For more information, see Extracting-fields.
Step 3: Set up enrichment
From the logs, it is not clear if an IP address is a phishing IP address or not. To check that, enrich the logs by using a CSV file. We have added the following fields to the logs:
- Attack origin company
- Phishing flag
To enrich the logs, configure enrichment source and enrichment policy as shown in the example that follows. For more information, see Enriching-logs.
Step 4: View the collected logs
Now, view the collected logs and ensure that the collected logs are enriched and the ipAddress field is extracted from the message field. To view the collected logs, go to the Explorer tab.
Step 5: Add a dashboard or panel
You can either create a new dashboard or use an existing dashboard and add a panel to it. To add a new panel for this use case, use the query as shown in the image. For more information, see Setting up dashboards.
Step 6: View the dashboard
Let's save the panel and view the dashboard. In the bar chart, the IP addresses for which the phishing flag is set as yes and the number of times they have attacked your network are shown.