3 Replies Latest reply on Mar 31, 2017 2:44 PM by paul.k

    SIEM: Need information on Accumulator value data type

    holywaters

      Hi,

       

      Can anyone help me in understanding what the Accumulator value data type can be used for or direct me to any document that explains its use.

       

      Regards

        • 1. Re: SIEM: Need information on Accumulator value data type
          Peacekeeper

          Moved to SIEM forum for a better chance of an answer

          • 2. Re: SIEM: Need information on Accumulator value data type
            abanaru

            According to the product guide:

             

            "If you have custom fields that pull numeric data from a source, accumulator indexing can perform

            sums or averages over time on this data. You can accumulate several events together and average

            their value or generate a trending value."

             

            That trending value is then used in generating graphs from what I can tell.

            • 3. Re: SIEM: Need information on Accumulator value data type
              paul.k

              Holywaters,

               

              This can get complicated and to date I have yet to find any documentation on it.

              I figured this out via trial and error in the lab.

               

              Accumulator fields are effectively numerical fields bound to some other field so that you can track how much a particular field has done.

               

              Bytes by IP or packets by Port.

               

              Depending on how you plan to use it there are different ways to take advantage of it.

               

              #1 which is on by default is for for NetFlow data. It allows you all those nifty views with byte and packet value, etc

               

              #2 is in the correlation deviation component. Notice you can only use accumulator fields.

               

              #3 and this is if you really want to get adventuress, you can bind regular event fields to accumulator fields in the database, index section of ESM mgt. (note you can only bind 5 by default)

               

              Let me know if you need any more help.

               

              Good luck