Logs Widget

The Logs widget provides the capability to view logs in SevOne Data Insight.

General

The General tab enables you to select resources for which you want to view the logs.

Perform the following steps to set the widget settings for General tab.

Important: Third-party datasources, SPLUNK and ELK (ElasticSearch Stack), are supported.
Both SPLUNK and ELK datasources can read ~40 MB/minute or ~50 GB/day of logs.

SPLUNK

  1. Click the Log Datasource drop-down and select the SPLUNK datasource to retrieve its logs.
  2. Enable Use Aliases to allow the query on the alias.
  3. By default, Advanced mode is enabled to use resource select mode, configure a device name mapping in the datasource settings.
  4. Enter <a search query> in field Query. For example, * or host=* or severity_id* or host=* severity_id=*
  5. Click Run - it will search for any log that contains the search query entered in field Query.
    Note: Run button is only available when one or more fields are changed in the General tab.
    Log Splunk Search Query
  6. Disable Advanced mode.
    Important: To disable the Advanced Mode, configure a device name mapping in the datasource settings.
    1. Click the Datasource drop-down and select the SevOne NMS cluster or appliance.
    2. From the Resource Type drop-down, select Device to choose one or more devices. Or, select Device group to choose one or more devices that belong to it.
    3. Click Run to generate a Log report based on the configuration.
      Note: Run button is only available when one or more fields are changed in the General tab.


      Example

      Log Splunk General
  7. When the following fields are configured, the log report dynamically refreshes based on the change made.
    1. By default, timespan / time zone selected is Past 7 days New_York. Click the button to change the timespan / timezone. Select one of the following options:
      • Past <n> hours, days, weeks, months, quarter, year to display data from hours, days, weeks, months, quarter, or year ago until now.
      • Today - to display data from 12:00am today until now.
      • Yesterday - to display data from 12:00am yesterday until 12:00am today.
      • Last week, month, quarter, year - to display data from 12:00am on the first day of the last completed week, month, quarter, or year to 11:59pm on the last day of the last completed week, month, quarter, or year.
      • This week, month, quarter, year - to display data from 12:00am on the first day of the week, month, quarter, or year until now.
      • Customize the time span with From and To date / time.
      • Click Select button to choose the modified timespan / time zone.
    2. In the Result limit field, enter the number of results to display.
      Important: Result limit must be between 1 to 10,000. Limits greater than 200 can impact performance.
    3. Select the check boxes under Mapped columns to display as data columns in the table. The names in the second column are the names for the columns that appear in the report. You may modify the names in the second column to your choice. Currently, mapping can only be done with Device, Severity, or Timestamp (which are not within the SPLUNK instance).
      Note: Click on a device in the Device column and it allows you to choose a report to link to.
      Severity column shows the severity badges such as, Info, Error, Notice, etc. similar to SevOne Data Insight Alert widgets.
    4. Select the check boxes under Raw columns to display as data columns in the table. The names in the second column are the names for the columns that appear in the report. You may modify the names in the second column to your choice.

ELK

  1. Click the Log Datasource drop-down and select the ELK datasource to retrieve its logs.
  2. Click Index drop-down to select the index to search on. For example, staging-nms.
  3. Enable Use Aliases to allow the query on the alias.
  4. Enable Advanced mode to enter a custom query. When enabled, widget linking and chaining interactions are not available.
    1. Enter <a search query> in field Query. For example, * or host=* or severity_id=* or host=* severity_id=*
    2. Click Run - it will search for any log that contains the search query entered in field Query.
      Note: Run button is only available when one or more fields are changed in the General tab.
      Log ELK Search Query
  5. Disable Advanced Mode.
    Important: To disable the Advanced Mode, configure a device name mapping in the datasource settings.
    1. Click the Datasource drop-down and select the SevOne NMS cluster or appliance.
    2. From the Resource Type drop-down, select Device to choose one or more devices. Or, select Device group to choose one or more devices that belong to it.
    3. Click Run to generate a Log report based on the configuration.
      Note: Run button is only available when one or more fields are changed in the General tab.
    Log ELK Data Source
  6. When the following fields are configured, the log report dynamically refreshes based on the change made.
    1. By default, timespan / time zone selected is Past 7 days New_York. Click the button to change the timespan / timezone. Select one of the following options:
      • Past <n> hours, days, weeks, months, quarter, year to display data from hours, days, weeks, months, quarter, or year ago until now.
      • Today - to display data from 12:00am today until now.
      • Yesterday - to display data from 12:00am yesterday until 12:00am today.
      • Last week, month, quarter, year - to display data from 12:00am on the first day of the last completed week, month, quarter, or year to 11:59pm on the last day of the last completed week, month, quarter, or year.
      • This week, month, quarter, year - to display data from 12:00am on the first day of the week, month, quarter, or year until now.
      • Customize the time span with From and To date / time.
      • Click Select button to choose the modified timespan / time zone.
    2. In the Result limit field, enter the number of results to display.
      Important: Result limit must be between 1 to 10,000. Limits greater than 200 can impact performance.
    3. Select the check boxes under Mapped columns to display as data columns in the table. The names in the second column are the names for the columns that appear in the report. You may modify the names in the second column to your choice. Currently, mapping can only be done with Device, Severity, or Timestamp (which are not within the ELK instance).
      Note: Click on a device in the Device column and it allows you to choose a report to link to.

      Severity column shows the severity badges such as, Info, Error, Notice, etc. similar to SevOne Data Insight Alert widgets.

    4. Select the check boxes under Raw columns to display as data columns in the table. The names in the second column are the names for the columns that appear in the report. You may modify the names in the second column to your choice.

Linking

The Linking tab enables you to select a data element and link it to a related report or report template. Perform the following steps to add, delete, and edit links.

Log Report Linking

Perform the following steps to set the widget settings for Linking tab.

  1. Include report links allows report consumers to click on a data element such as, device name, and link it to the related report. Enable to include the report link that you configure. If you want to prevent the report link from being included, disable it. Continue with the steps below to configure the report link.
  2. By default, Report Link 1 is enabled.
    Note: If you wish to exclude the report link, disable Report Link 1.
  3. The Clicking on drop-down has only one possible data item - Device. When report linking is enabled, clicking on this data item will link to the report or report template that you specify below.
  4. Click the Links to report drop-down and select one or more reports or report templates to display when you click on the data item that you specified in the previous step.
  5. To remove the report link, click Trash can icon.
  6. If the report link has been deleted, you may click Add report link button to add.

    Example: SPLUNK

    When you click on a device, for example, Attleboro-R1, as show in this example, you are seeing Alert Drill Down Report in the list. Alert Drill Down Report is a Global Report Link on device, Attleboro-R1. You may obtain the information on which report(s) device Attleboro-R1 is linked to from left navigation bar > Configure > Report Linking.

    Log Report Linking - Example 1

    Now, link device, Attleboro-R1, to report Device Summary. You will now see that device Attleboro-R1 contains Alert Drill Down Report and Device Summary in the list.

    Log Report Linking - Example 2

    If you click on Device Summary in the list, device, Attleboro-R1, is passed to the report and it will gather all the device summary for Attleboro-R1.

    Log Report Linking - Example 3

Charts

The Charts tab enables you to define how you want to display the report data.

Visualizations

The charts provide 3 visualizations for SPLUNK and ELK.

Log Visualization Charts

Table

The Table visualization displays the data as a table. Perform the following steps to set the widget settings for the Table visualization.

  1. Select the Table visualization by clicking Table visualization icon.
  2. STYLES
    1. Enable Show title to enter the title name in the text field provided and display it in report. Else, disable it.
    2. Enable Show subtitle to enter the sub-title name in the text field provided and display it in the report. Else, disable it.
    3. Enable Allow column reordering to allow the columns that display in the report to be reordered. Else, disable it.
    4. Enable Allow showing/hiding columns to allow columns in the report to be hidden and unhidden. If you choose, you may disable it.
    5. Enable Wrap cell content to wrap long text in a data row so that all text displays. Disable it to display as much text as fits into the cell with ellipses to indicate there is more text.
    6. By enabling Show search bar, the search capability is available to perform a search in the table. Disable it if you do not want the search capability. If Show search bar is enabled, you may click Funnel icon to allow Search by column.
      Log Visualization Table
      Log ELK Visualization Table

Pie

The Pie visualization displays the data as a pie graph. Perform the following steps to set the widget settings for the Pie visualization.

  1. Select the Pie visualization by clicking Pie icon.
  2. PIE CHART TITLE
    1. Enable Show title to enter the title name in the text field provided and display it in report. Else, disable it.
    2. Enable Show subtitle to enter the sub-title name in the text field provided and display it in the report. Else, disable it.
  3. PIE VISUALIZATIONS
    1. It provides 3 different visualizations.
      • Donut
        Log Visualization Pie - Donut
      • Pie
        Log Visualization Pie - Pie
      • Nightingale
        Log Visualization Pie - Nightingale
    2. Under Radius, extend the bar to the right to increase the radius or shorten the bar to decrease the radius.
    3. Enable Show labels to display labels for the device name, object name, indicator name, and percentage of the pie graph. Else, disable it.
    4. Enable Enable "Others" to add a slice called Others that rolls up values below the percentage value entered in field Percentage.
    5. Under Group by, click the drop-down to choose mapped or raw options from the list.
      Important: Selecting options with too many unique values (such as, a timestamp) may freeze your browser.
  4. LEGEND
    1. Enable Enable legend to display a legend for the graph. Else, disable it. Select one of the following options.
      1. Standard - to display legend in the standard format.
        • Click the Position drop-down to specify where you would like the legend to appear in relation to the graph. The position is set to Bottom by default. Other options include Top, Left, and Right.
      2. Table - to display the legend in table format.
    Log Visualization Pie - Legend Table

Bar

The Bar Chart visualization displays a graph of qualitative independent variables. Perform the following steps to set the widget settings for the Bar visualization.

  1. Select the Bar Chart visualization by clicking Bar visualization.
  2. BAR CHART TITLE
    1. Enable Show title to enter the title name in the text field provided and display it in report. Else, disable it.
    2. Enable Show subtitle to enter the sub-title name in the text field provided and display it in the report. Else, disable it.
  3. BAR VISUALIZATIONS
    1. Click Aggregate by drop-down to aggregate data automatically by selecting Auto. Or, you may aggregate by Minute, Hour, Day, Week, or Month.
    2. Enable Stack to stack the results based on the option chosen from Stack by drop-down field.
      Important: Selecting options with too many unique values (such as, a timestamp) may freeze your browser.
  4. LEGEND

    1. Enable Enable legend to display a legend for the graph. Else, disable it.
    2. Select one of the following options:
      • Standard - to display legend in the standard format.
        • Click the Position drop-down to specify where you would like the legend to appear in relation to the graph. The position is set to Bottom by default. Other options include Top, Left, and Right.
      • Table - to display the legend in table format.
    Log Visualization Bar - Legend Table