11.1 Running Reports

You can run and schedule report definitions that are saved in the system. You can also view the report results of the report definitions.

The Reports panel displays all the report definitions in the system. Because the reports run asynchronously, you can simultaneously perform other tasks in the application.

You can run a report by using the desired parameters such as a start and an end date, and save the report results with a name of your choice. After the report runs, you can view it in the Reports panel or in PDF.

Because the reports run asynchronously, you can simultaneously perform other tasks in the application while you run reports. If the Sentinel server was restarted while a report was processing, you can either cancel or restart the report. If you restart the report, it runs with the same parameters that were used the first time. If the report was run with a relative time setting (such as Last 12 hours), the time period for rerunning the report is based on the current date and time and not the date and time when the report was initially run.

You can run reports as either search reports or as Jasper reports, depending on the details you want to see and the format you want for the report results.

Use the following procedure to run a report:

  1. Log in to the Sentinel Web interface as a user with the Manage Reports permission.

  2. In the Reports panel, select the report you want to run, then click Run.

  3. Specify if you want to run the report now or if you want to schedule it to run at a certain time.

  4. Specify a name to identify the report results.

    Because the username and time are also used to identify the report results, the report name does not need to be unique.

  5. (Conditional) If your Sentinel is configured for distributed search, click the Selected Targets link in the Targets section to select the source machines on which the reports can be run. For more information on distributed search, see Searching and Reporting Events in a Distributed Environmentin the NetIQ Sentinel 7.0.1 Administration Guide.

  6. (Conditional) To run a search report, specify the following parameters:

    Parameter

    Description

    Maximum Results

    Specify the maximum number of event search results to include in the report.

    Durations

    If the report includes time period parameters, choose the date range. All time periods are based on the local time for the browser.

    • Last 1 hour: Shows events for the last hour.

    • Last 12 hours: Shows events for the last 12 hours.

    • Last 24 hours: Shows events for the last 24 hours.

    • Last 7 days: Shows events for the last seven days.

    • Last 30 days: Shows events for the last 30 days.

    • Last 60 days: Shows a month of events, from midnight of the first day of the previous month until 11:59 p.m. of the last day of the previous month.

    • Last 90 days: Shows events for the last 90 days.

    • Whenever: Shows all events stored in the system.

    • Custom Date Range: If you selected Custom Date Range, set the start date (From Date) and the end date (To Date) for the report.

  7. (Conditional) To run a Jasper report, specify the following parameters:

    Jasper reports can also have additional parameters defined when you create the Jasper report. To view the description for an additional parameter via a tool tip, mouse over the parameter names in the Run Report form.

    Parameter

    Description

    Help

    Click Help to open the doc_plugin.pdf and to read the getting started notes for the selected Jasper report.

    Maximum Results

    Specify the maximum number of event search results to include in the report.

    Language

    Choose the language in which the report labels and descriptions should be displayed. The possible values are English, French, German, Italian, Japanese, Traditional Chinese, Simplified Chinese, Spanish, or Portuguese.

    The default value is the language with which the current user logged in, if that language is supported by the report. If the report does not support the language, the report’s default language (typically English) is used.

    The data in the report is displayed in the language that was originally used by the event source.

    Date Range

    If the report includes time period parameters, choose the date range. All time periods are based on the local time for the browser.

    • Current Day: Shows events from midnight of the current day until 11:59:00 PM of the current day. If the current time is 8:00:00 AM, the report shows 8 hours of data.

    • Previous Day: Shows events from midnight yesterday until 11:59:00 PM yesterday.

    • Week To Date: Shows events from midnight Sunday of the current week until the end of the selected day.

    • Previous Week: Shows events for the last seven days.

    • Month to Date: Shows events from midnight the first day of the current month until the end of the selected day.

    • Previous Month: Shows events for a month, from midnight of the first day of the previous month until 11:59:00 PM. of the last day of the previous month.

    • Custom Date Range: Shows events for a period whose start and end date are chosen.

    Primary Top N

    Specify a maximum number of value for the search event.

    Primary Event Field

    Specify the primary event tag for the primary grouping.

    Event Field

    Specify the secondary event tag.

    Minimum Severity

    Specify the minimum severity value of the events to be displayed. The default value is 0.

    Maximum Severity

    Specify the maximum severity value of the events to be displayed. The default value is 5.

  8. Specify an e-mail address in the Email Report to field. If you want to mail the report to more than one user, separate the e-mail addresses with a comma.

    To enable mailing reports, configure the mail relay under Rules > Configuration.

  9. Click Run.

    A report results entry is created and mailed to the chosen recipients.