The LogRhythm Configuration Manager allows you to configure AIE Drill Down Cache performance. The AI Engine Drill Down Manager allows you to configure the drill down on a per-rule basis.
Run an Investigation or Tail, or look at the results in your Personal Dashboard or the Alarm Viewer.
- Select a row in the Log/Event Analyzer tab.
Right-click the row, and then click AI Engine Event Drill Down.
The AI Engine Event Drill Down Manager appears.
Configure the available drill-down options, as described in the following table.
AI Engine Event Drill Down Manager
Description Drill Down Settings Select Log Repository to Query Select any of the available log repositories to include in this query. Maximum log messages to return per Rule Block Enter or select the maximum number of log messages to return for each Rule Block. Query timeout (seconds) Enter or select the period of time, in seconds, after which the drill down query should time out. Drill Down Status RB# The position of the rule block within the AI Engine rule. Data Processor Name The name of the Data Processor being queried. Status The current status of the drill down. Log Count As defined by the column heading. Error Messages If any errors occur during the drill down, they appear here. Last Query SQL Statement The last SQL statement issued in the query. Rule Block Type The AIE Rule Block type. Rule Block Description A brief description of the Rule Block. Other Expected Drill Down Accuracy
- Excellent: The event was generated with the same version of the rule currently in the system
- Good: The event was generated with a different version of the rule, but:
- The rule has the same number of Rule Blocks.
- All Rule Blocks are in the same order.
- All Rule Blocks are of the same type.
- Unknown: One of the following occurred:
- The event was generated with a different version of the rule that was significantly modified since the Event was generated.
- Errors occurred during preparation.
If you want to see the Last Query SQL Statement:
- Clear the Automatically launch Investigator upon completion check box.
The AI Engine Drilldown Manager window now displays the Last Query SQL Statement. You may have to scroll to the right to see the column.
When you are ready to start the investigation, click OK.
If you do not need to see the Last Query SQL Statement, leave the Automatically launch Investigator upon completion check box selected, and then click Start.
When the drill down is complete, the results appear in the Investigator, and:
In the Aggregate Log/Event List, a new column is added to both the Log/Event Analyzer and Log Viewer tabs that gives the AI Engine Rule Block number (AIE RB#).
- With Global Admin privileges, you can click View, and then click AI Engine Rule to open the rule in the AI Engine Rule Wizard.
The AI Engine Rule Wizard appears.