Some log formats contain message fields, or other free-form fields which are not easily displayed in reports and summaries, so although these fields are imported from the log files, they are not displayed in the standard summaries when you run an analysis or create a report template. However, you can still add these fields to your report if you want to see them.
For example, the IronPort log files contain a field named Extra / Custom Logged Data, and a Reputation field; and the Windows Event logs contain a Message field. These fields cannot be seen in the list of Summaries if you run an ad-hoc analysis, or if you create a new report template for that schema, however they can be seen at the Individual Records level of Summaries.
To view these fields:
1. Go to Summaries and click New Analysis on the left
2. Select your storage, and select the Analysis Type as ‘Ad hoc analysis’
3. Leave the Filters and Summaries pages as default and click OK
When the analysis completes, click on the Date summary, then right-click any data and choose Drilldown | Individual Records. This will show you all of the data that was imported from your log file.
You can export this view as a report by clicking Export Current View on the left.
To add these fields to your report, firstly you will need to ensure the report template is using your log file schema. To do this check out our blog article or video tutorial
Once this is done:
1. Right-click the report template and choose Edit Template
2. Right-click the location where you would like to add your custom field and choose New Node
3. Ignore all of the options, and click the Advanced button
4. On the General page, enter the name you would like displayed for the node in the Name text box, then under Columns click on the Key value, and then click the Delete button
5. Now click Add | Key
6. Enter the name that you would like displayed for your custom field in the Name text box, and then set the radio button to Custom Expression, and delete the value that is shown in there
7. Type in the name of the field you want to add, in square brackets. For example, for the IronPort Extra Custom Logged Data, the field name in WebSpy is [ExtraMessage]
8. Once you have entered your field name, right-click the box and choose Validate to ensure that you have entered a valid field name with the correct syntax
9. Click OK to add the field to your node, and OK to add this to the template.
If you can see a field in the Individual Records section of Summaries that you would like to report on, and you are not sure what the field name is to add to your report template, please contact WebSpy Support.
Tips:
1. Whenever you make changes to a report template, on completion of the changes, click Return To Reports on the left, then click the Save Templates link to make a copy of your changes, before running the report.
2. When you run the report, use a test storage, with only a very small amount of data in it. This will allow the report to complete quickly, and let you see whether the changes are what you expected. If they are, then you can run the report on your entire data.
Leave A Comment