Create Reports
Use the Report Wizard to create and modify Custom Reports and to view the configuration of reports you do not have permission to modify. To create a new report
- On the Tools menu, click Report, and then click Report Center.
- Click the Reports tab.
- On the main toolbar, click the New icon.
The Report Wizard appears. On the Select Report Template page, select the report template you want and click Next.
Log Volume reports (Class = Log Management) return data for all log sources. Specifying log source criteria does not narrow the results.
- On the Specify Log Source Criteria page, specify the Log Sources to include in the Report and click Next.
On the Specify Additional Report Criteria page, add any filters needed to limit the data included in the report. For more information on filters, see Work with Filters.
Filters are not applied when running Log Volume reports (Class = Log Management). Log Management Reports are designed to ignore filters.
Restricted Analysts cannot create or edit a User (Impacted/Origin) by Active Directory Group filter. The User (Impacted/Origin) by Active Directory Group filter is only available to Global Administrators and Global Analysts.
Restricted Analysts can run objects that reference an Active Directory Group filter in saved Reports and Report Packages.
If you are running a report type that summarizes data by the top N events, filter NULL values out of your data. To do this, manually create a filter where the Filter Mode is Filter Out (Is Not) and the Filter out Null values? check box is selected.
- Click Next.
The Report Wizard Details and Configuration page appears. - Type the Report Details.
- Enter the Report Name.
- (Optional) Enter any qualifiers to print on the report.
Qualifiers are optional, but they allow you to print additional information, such as the sorting or selection method, the affected user group, or the sources.
For example:
Name = Summary Log Count
Qualifier 1 = of Events
Qualifier 2 = by Ascending Log Count - (Optional) Enter a description to include in the report list. The description does not appear on the report.
- Complete the Report Configuration.
Select a Report Class.
Report Classes Description Diagnostic
System diagnostics Log Management LogRhythm usage and log collection Audit Maintenance of Entities, Hosts, Users, etc. Security Security and compliance-related events Operations Error conditions General Purpose Summarizing log counts according to Hosts, Ports, etc. Event Management Events and Alarms Case Management Specify the Report Data Source (Platform Manager, Data Processor, LogMart) to use as input data. If a source appears dimmed, it is unavailable.
Reports run against the Data Processor pull their data from the Data Indexer. Therefore, the amount of data pulled in those reports is controlled by the effective TTL of your Data Indexer. You may have 30, 60 or even 90 days of configured TTL for your indexer, but if drive free space hits 80% then the oldest index will be deleted.
- Specify the Report Permissions to determine the access level for the report.
- Configure Intelligent Indexing:
- Select Enable Intelligent Indexing, if necessary.
- Select Enable Expiration, if necessary.
To save the Report and exit the Report Wizard, click OK.
When viewing a Report, you cannot modify the Report Wizard fields.