Hi! May I ask how do you stop the aggregation in creating Table in Report - Report Layout? My objective is to show each event individually in a table exported in Report, where I am expecting 1000 lines of events for this table. I use the following details:
1. Reporting Queries - I added a new one for this
2. For the Fields: I use Last Time, Source User, Destination User, Message ID, Rule Name, Message Text.
3. For Filter: I leave it blank.
4. For Sort On: I sort Last Time - Descending.
Whenever I create Report using this and triggered Run Now, I always get aggregated events, showing only 9 lines of events.
Hoping you can help me. Thank you.
Solved! Go to Solution.
The reports are produced using the data in the ESM database. If that data is aggregated, then it is aggregated. You cannot separate the data - the records in the database do not contain the individual data any more.
If you want to disable aggregation for some events, you can do so by disabling it on the rules that create the events. Bear in mind this increases the storage and processing load of these events, correspondingly having a more significant impact on your system performance and retention.
Alternatively you can customise the aggregation to make it more appropriate for your use case, aggregating events by source user or application instead of IP, signature id and time (the defaults).
The reports are produced using the data in the ESM database. If that data is aggregated, then it is aggregated. You cannot separate the data - the records in the database do not contain the individual data any more.
If you want to disable aggregation for some events, you can do so by disabling it on the rules that create the events. Bear in mind this increases the storage and processing load of these events, correspondingly having a more significant impact on your system performance and retention.
Alternatively you can customise the aggregation to make it more appropriate for your use case, aggregating events by source user or application instead of IP, signature id and time (the defaults).
Corporate Headquarters
6220 America Center Drive
San Jose, CA 95002 USA