cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
ichan09
Level 7
Report Inappropriate Content
Message 1 of 2

How to stop aggregation in Report - Table?

Jump to solution

Hi! May I ask how  do you stop the aggregation in creating Table in Report - Report Layout? My objective is to show each event individually in a table exported in Report, where I am expecting 1000 lines of events for this table. I use the following details:

1. Reporting Queries - I added a new one for this

2. For the Fields: I use Last Time, Source User, Destination User, Message ID, Rule Name, Message Text.

3. For Filter: I leave it blank.

4. For Sort On: I sort Last Time - Descending.

Whenever I create Report using this and triggered Run Now, I always get aggregated events, showing only 9 lines of events.

Hoping you can help me. Thank you.

1 Solution

Accepted Solutions
lratcliffe
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 2

Re: How to stop aggregation in Report - Table?

Jump to solution

The reports are produced using the data in the ESM database.  If that data is aggregated, then it is aggregated.  You cannot separate the data - the records in the database do not contain the individual data any more.

If you want to disable aggregation for some events, you can do so by disabling it on the rules that create the events.  Bear in mind this increases the storage and processing load of these events, correspondingly having a more significant impact on your system performance and retention.

Alternatively you can customise the aggregation to make it more appropriate for your use case, aggregating events by source user or application instead of IP, signature id and time (the defaults).

Was my reply helpful?

If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

View solution in original post

1 Reply
lratcliffe
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 2

Re: How to stop aggregation in Report - Table?

Jump to solution

The reports are produced using the data in the ESM database.  If that data is aggregated, then it is aggregated.  You cannot separate the data - the records in the database do not contain the individual data any more.

If you want to disable aggregation for some events, you can do so by disabling it on the rules that create the events.  Bear in mind this increases the storage and processing load of these events, correspondingly having a more significant impact on your system performance and retention.

Alternatively you can customise the aggregation to make it more appropriate for your use case, aggregating events by source user or application instead of IP, signature id and time (the defaults).

Was my reply helpful?

If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

View solution in original post

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community