To give an update, I tried creating a correlation rule to group per Source IPs but the Bytes custom type field isn't passed or missing upon drilling down the correlated events.
Hope to receive response and assistance from ESM users.
Are your 'squid bytes' being parsed into an 'accumulator field'? This won't be a function of correlation, just parsing.
Hello Andy, yes it is parsed as an "accumulator field". If that's the case, do you have any idea how can I create this kind of report?
You need to MAP this to a non accumulator field in the ESM-->Database-->Settings-Accumulator Indexing.
YOu can map up to 5 total.
Pick which fields you want to accumulate by basically.
Good luck. This can get both interesting and tricky.
I'm wondering why or how can I identify the 'Bytes_Received' field from the Accumulator Indexing.
Under the 'System Properties->Custom Types', the 'Bytes_Received' Event Field is set to 'Accumulator Field -2'. However, I can't see any 'Bytes_Received' index/field in the 'Database->Settings->Accumulator Indexing->Accumulator Field - 2', but there are a lot of 'Custom Field $N Index' in there.
See the attached screenshot for references:
Ss: 'System Properties->Custom Types'
Ss: 'Database->Settings->Accumulator Indexing->Accumulator Field - 2'
1 of 1 people found this helpful
You're almost there.
Notice you can't do it by Field name but by it's Custom Field 1.
So pick out the custom field numbers that match the Field Name you with to bind to the accumulator field.
Also the basic ones like IP addresses and distribution will be at the bottom of the list.
You will be forced to do a service restart when you're done. (NOTE IF GIVE IT A DATE GOING BACK it can take a long time for it to rerun the accumulator #s.)
Once you bind them you will get new options when creating dashboards.
As an experiment start a new view, add a bar chart, hit the drop down and you will see new options
Based on what you chose to bind to the Acc fields you will get option to pivot around that data,
Enjoy your new analytics tool.
Thank you for your assistance, I was able to accomplish what I intend to do.
The only thing which I wonder right now is how did you know that it is "Custom Field 1"? Is there an option where I can see the mapping of the event fields to custom field?