Aggregating and Viewing Logs
Sample Dashboard
Now that our data is parsed into useful fields, we can aggregate and summarize it. A dashboard is a set of widgets that show messages, counts, or aggregations.
Here is an example dashboard that shows:
- the number of NPS log messages received over time
- the most frequently logged
FullyQualifedUserNamePacketTypeReasonCodeClientFriendlyNameClientIPAddressSourceEAPFriendlyNameNPPolicyNameProxyPolicyName
- the most recently received messages matching the filter criteria
Dashboards also provide an easy way to "drill down". By clicking on a value in an aggregation, we can exclude or include messages matching that field value.
Creating Dashboards
In this example, we'll aggregate the top n values of FullyQualifedUserName
- Navigate to Dashboards and click Create new dashboard
- Click on the Create button
- Click on Aggregation
- Click the Edit button on the empty aggregation
-
In the Query field, enter this query and click the Search button
EventSource:IAS AND _exists_:FullyQualifedUserNameThis query ensures that
- we only aggregate logs from NPS (
EventSource:IAS) - we only try to aggregate messages that actually include this field (
_exists_:FullyQualifedUserName)
- we only aggregate logs from NPS (
-
Under Group By, add the
FullyQualifedUserNamefield- Set the limit to a reasonable value (
15, for example)
- Set the limit to a reasonable value (
-
Under Metrics, choose the "Count" Function and select the
gl2_message_idfield- This causes matching messages to be counted exactly once, as
gl2_message_idis unique for each message
- This causes matching messages to be counted exactly once, as
-
Click Update preview to test your aggregation
- If you are satisfied, click Update widget
- Create additional widgets for each property you wish to aggregate
Warning
Be sure to save your dashboard before you navigate away from the page or close your browser!
- Configure
- Ingest
- Process
- Aggregate