Skip to main content

Drill Down on AI Engine Results

The LogRhythm Configuration Manager allows you to configure AIE Drill Down Cache performance. The AI Engine Drill Down Manager allows you to configure the drill down on a per-rule basis.

  1. Run an Investigation or Tail, or look at the results in your Personal Dashboard or the Alarm Viewer.

  2. Select a row in the Log/Event Analyzer tab.
  3. Right-click the row, and then click AI Engine Event Drill Down.
    The AI Engine Event Drill Down Manager appears.

  4. Configure the available drill-down options, as described in the following table.

    AI Engine Event Drill Down Manager

    Drill Down Settings
    Select Log Repository to QuerySelect any of the available log repositories to include in this query.
    Maximum log messages to return per Rule BlockEnter or select the maximum number of log messages to return for each Rule Block.
    Query timeout (seconds)Enter or select the period of time, in seconds, after which the drill down query should time out.
    Drill Down Status
    RB#The position of the rule block within the AI Engine rule.
    Data Processor NameThe name of the Data Processor being queried.
    StatusThe current status of the drill down.
    Log CountAs defined by the column heading.
    Error MessagesIf any errors occur during the drill down, they appear here.
    Last Query SQL StatementThe last SQL statement issued in the query.
    Rule Block TypeThe AIE Rule Block type.
    Rule Block DescriptionA brief description of the Rule Block.
    Expected Drill Down Accuracy
    • Excellent: The event was generated with the same version of the rule currently in the system
    • Good: The event was generated with a different version of the rule, but:
      • The rule has the same number of Rule Blocks.
      • All Rule Blocks are in the same order.
      • All Rule Blocks are of the same type.
    • Unknown: One of the following occurred:
      • The event was generated with a different version of the rule that was significantly modified since the Event was generated.
      • Errors occurred during preparation.
  5. If you want to see the Last Query SQL Statement:

    1. Clear the Automatically launch Investigator upon completion check box.
    2. Click Start.
      The AI Engine Drilldown Manager window now displays the Last Query SQL Statement. You may have to scroll to the right to see the column.

    3. When you are ready to start the investigation, click OK.

  6. If you do not need to see the Last Query SQL Statement, leave the Automatically launch Investigator upon completion check box selected, and then click Start.
    When the drill down is complete, the results appear in the Investigator, and:

    • In the Aggregate Log/Event List, a new column is added to both the Log/Event Analyzer and Log Viewer tabs that gives the AI Engine Rule Block number (AIE RB#).

    • With Global Admin privileges, you can click View, and then click AI Engine Rule to open the rule in the AI Engine Rule Wizard.
      The AI Engine Rule Wizard appears.

You can also drill down on alarms associated with AI Engine rules using the AIE Drill Down API. For more information, see AI Engine Drill Down API.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.