Topic
  • 7 replies
  • Latest Post - ‏2015-01-27T17:01:52Z by Sunil.Nishankar
dwight s (IBM)
dwight s (IBM)
4 Posts

Pinned topic Reporting FAQ

‏2015-01-22T15:56:27Z | reporting

Common questions about the Reporting area of QRadar.

 

1) Is a list of all reports in QRadar available in the documentation?

As reports are constantly updated, we do not include them in any of the QRadar guides.  In addition, depending on the features you add - QVM, QRM, and Content packs, you will have different list of reports available in your system.  The attached script, "reportlist.pl" will allow you to query the report templates and get a list of all report titles & descriptions.  Any problems with this script, please comment here.

----- 
[root@csd8 support]# ./reportlist.pl -h
Usage: parse_report.pl [-ah] [-f reportfilename]

-a: print list of ALL report files
-h: this help
-f filename: print details of specific report file
 
# - This script should only be used on the QRadar console
# - This report includes all reports, it does not filter on enabled/disabled.
# - Output is 2 dash (--) delimited, with 2 columns
# for title & description, one per line, as some
# of the report titles & descriptions have commas
# in them.
# - Redirect output to a file and import into
# excel for readability.
#       parse_report -a > listofreports.csv
# - If you have email setup on
# your QRadar server, you can also redirect the output
# to an email with:
#       parse_report.pl -a  |  mail -s "qradar report list" user.com
# - Note, errors about
# "Wide character in print at ./report_parse.pl line 90."
# can be ignored, as perl has issues with some of the longer
# characters used for internationalization.  These are not redirected
# to your output file or email, since they print to
# the ssh/console only.
 
[root@csd8 support]#

--- 

 

Attachments

  • Sunil.Nishankar
    Sunil.Nishankar
    4 Posts

    Re: Reporting FAQ

    ‏2015-01-23T00:59:13Z  

    Thanks Dwight !

    But suppose I have a report configured and it runs as per schedule, distribute emails but sometimes as there is no data fetched by report definition we get blank attachment (either a pdf or excel file), is there is intelligence that if generated report file is blank then don't distribute it ? 

     

    Thanks

    Sunil

  • dwight s (IBM)
    dwight s (IBM)
    4 Posts

    Re: Reporting FAQ

    ‏2015-01-23T19:45:17Z  

    Thanks Dwight !

    But suppose I have a report configured and it runs as per schedule, distribute emails but sometimes as there is no data fetched by report definition we get blank attachment (either a pdf or excel file), is there is intelligence that if generated report file is blank then don't distribute it ? 

     

    Thanks

    Sunil

    Hi Sunil .. 

    unfortunately no, at present time, the reporting engine isn't aware of an empty result set, and still sends out a report file, regardless of whether or not there's data attached to it.

    dwight

  • Sunil.Nishankar
    Sunil.Nishankar
    4 Posts

    Re: Reporting FAQ

    ‏2015-01-23T20:28:16Z  

    Hi Sunil .. 

    unfortunately no, at present time, the reporting engine isn't aware of an empty result set, and still sends out a report file, regardless of whether or not there's data attached to it.

    dwight

    Thanks Dwight for reply !

    But I think that report generation and distribution must be two separate functionalities, report engine fetches data and writes in some file (PDF, excel or other format) and distribution engine sends that file as an attachment via mail. So here while sending file as attachment some intelligence can be provided like some if condition, if file size is 0KB for less than 1KB skip attachment and send details in mail body saying that report data is blank. I hope it's just matter of code modification and not messing with whole logic behind report distribution.

    Even if there is no data in report and report engine writing standard template into file, size of this file can be used as a baseline criterion to decide whether report data is written or not in file. 

     

    Thanks

    Sunil

     

  • dwight s (IBM)
    dwight s (IBM)
    4 Posts

    Re: Reporting FAQ

    ‏2015-01-26T14:34:11Z  

    Thanks Dwight for reply !

    But I think that report generation and distribution must be two separate functionalities, report engine fetches data and writes in some file (PDF, excel or other format) and distribution engine sends that file as an attachment via mail. So here while sending file as attachment some intelligence can be provided like some if condition, if file size is 0KB for less than 1KB skip attachment and send details in mail body saying that report data is blank. I hope it's just matter of code modification and not messing with whole logic behind report distribution.

    Even if there is no data in report and report engine writing standard template into file, size of this file can be used as a baseline criterion to decide whether report data is written or not in file. 

     

    Thanks

    Sunil

     

    Hey Sunil .. 

    You are correct, the function to generate a result set & the "email" portion would be two functions in the code.  I don't know if the 'mail' function is aware of the result set size or not.

    I suspect the PDF file would still be a decent size, even with no results, and even just 1 result wouldn't be much larger.  But as you say, it would be a good reporting feature.  That said though, many users would want a report, even if it was empty, since the fact there -are- no results, would be of importance as well.  Perhaps a feature in a report option set, to say "if no results in search, do not sent report" would be something that would provide the best functionality.  

    If it's something you're interested in, you may want to open up an RFE for it, to get it on product management's radar & roadmap.  The RFE website is at https://www.ibm.com/developerworks/rfe/

    dwight

  • Sunil.Nishankar
    Sunil.Nishankar
    4 Posts

    Re: Reporting FAQ

    ‏2015-01-26T21:33:40Z  

    Hey Sunil .. 

    You are correct, the function to generate a result set & the "email" portion would be two functions in the code.  I don't know if the 'mail' function is aware of the result set size or not.

    I suspect the PDF file would still be a decent size, even with no results, and even just 1 result wouldn't be much larger.  But as you say, it would be a good reporting feature.  That said though, many users would want a report, even if it was empty, since the fact there -are- no results, would be of importance as well.  Perhaps a feature in a report option set, to say "if no results in search, do not sent report" would be something that would provide the best functionality.  

    If it's something you're interested in, you may want to open up an RFE for it, to get it on product management's radar & roadmap.  The RFE website is at https://www.ibm.com/developerworks/rfe/

    dwight

    Hi Dwight,

    Thanks for reply !

    I agree that many users still wants report even if it is empty, and this also essential for report generation functionality but I as I suggest above attachment can be skipped and a line can be added in mail body saying that generated report is empty that way stakeholders/users would be notified that report schedule worked properly but generated is empty. Most of the time, these empty reports discourages stakeholders to check report mail on daily basis.

    Yes, I am looking for such functionality which we are discussing, sure I will open a RFE for this but I afraid IBM RFP takes much longer time to be ready as feature (no offense! ).

    Thanks

    Sunil

  • dwight s (IBM)
    dwight s (IBM)
    4 Posts

    Re: Reporting FAQ

    ‏2015-01-27T12:38:33Z  

    Hi Dwight,

    Thanks for reply !

    I agree that many users still wants report even if it is empty, and this also essential for report generation functionality but I as I suggest above attachment can be skipped and a line can be added in mail body saying that generated report is empty that way stakeholders/users would be notified that report schedule worked properly but generated is empty. Most of the time, these empty reports discourages stakeholders to check report mail on daily basis.

    Yes, I am looking for such functionality which we are discussing, sure I will open a RFE for this but I afraid IBM RFP takes much longer time to be ready as feature (no offense! ).

    Thanks

    Sunil

    Sunil

    Understood.  The reporting area is one of those spots that I think we've talked about making changes to, but haven't tackled yet.   Discussions like this encourage more people to request RFE's, and the more people that speak up for the same one, the more chance it has of getting on the todo list.   It is a round about way of getting things on the list, but, it's what we have to work with, for now - no offense taken!  :).

    dwight

  • Sunil.Nishankar
    Sunil.Nishankar
    4 Posts

    Re: Reporting FAQ

    ‏2015-01-27T17:01:52Z  

    Sunil

    Understood.  The reporting area is one of those spots that I think we've talked about making changes to, but haven't tackled yet.   Discussions like this encourage more people to request RFE's, and the more people that speak up for the same one, the more chance it has of getting on the todo list.   It is a round about way of getting things on the list, but, it's what we have to work with, for now - no offense taken!  :).

    dwight

    Thanks Dwight !

    I opened a RFE - code is 64952.

    All users who also want same feature (as discussed above) please vote to this RFE ID.