Versions Compared

Old Version 16

changes.mady.by.user Aaron Gabriel (Deactivated)

Saved on

compared with

New Version 17

changes.mady.by.user Aaron Gabriel (Deactivated)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.


Section
id1514284592


Section
id1514284612


Section
background-color$lightGrayColor
id1514284591

Table of Contents
maxLevel3
minLevel3


Section
id1514284602

In Log Search, users can create queries and visualizations to better understand how Armor bills against log usage. Users will want to review usage for both Agent and non-Agent log types.


Query for Armor Agent Log Types

To query Armor Agent log types:

  1. In AMP, go to the Log Search screen.
  2. Click on Discover.
  3. Use the Change Index Pattern dropdown to view all customer accounts under your Partner account.
    1. Click the View drop down, and change the Index Pattern to (Account ID)_partner.
    2. Below the Search bar, click the link for +Add Filter
      1. Field = tenant.id
      2. Operator = is
      3. Value = (Partner Customer Account ID)
  4. Below the Search bar, click the link for +Add Filter
    1. Filter #1
      1. Field = tags
      2. Operator = is one of
      3. Values = armor agent, oslogs
        1. Type *armor_agent* and hit enter
        2. Type *oslogs* and hit enter
      4. Hit Save
    2. Filter #2
      1. Field = tags
      2. Operator = is one of
      3. Values = windows, linux
        1. Type *windows* and hit enter
        2. Type *linux* and hit enter
      4. Hit Save
    3. Hit the Refresh button


Visualization for Armor Log Types

To create a visualization for Armor Agent log types:

  1. In AMP, go to Log Search screen.
  2. Click on Visualize
  3. In the New Visualization pop up, select the Data Table visualization option.
  4. Choose a source.
  5. Below the Search bar, click the link for +Add Filter
    1. Filter #1
      1. Field = tags
      2. Operator = is one of
      3. Values = armor agent, oslogs
        1. Type *armor_agent* and hit enter
        2. Type *oslogs* and hit enter
      4. Hit Save
    2. Filter #2
      1. Field = tags
      2. Operator = is one of
      3. Values = windows, linux
        1. Type *windows* and hit enter
        2. Type *linux* and hit enter
      4. Hit Save
    3. Hit the Refresh button
  6. In the Data tab, expand the Metric configuration
    1. In the Aggregation dropdown, select Sum
    2. In the Field dropdown, enter message_size
  7. Under Buckets, click Add
    1. Select Split rows
    2. In the Aggregation dropdown, select Terms
    3. In the Field dropdown, select external_id
  8. Add another Bucket by clicking Add
    1. Select Split rows
      1. In the Sub aggregation, select Terms
      2. In the Field dropdown, select winevent.log.source
  9. Hit Update


Query for Non Armor Agent Log Types

  1. In AMP, go to the Log Search screen.
  2. Click on Discover.
  3. Use the Change Index Pattern dropdown to view all customer accounts under your Partner account.
    1. Click the View drop down, and change the Index Pattern to (Account ID)_partner.
    2. Below the Search bar, click the link for +Add Filter
      1. Field = tenant.id
      2. Operator = is
      3. Value = (Partner Customer Account ID)
    3. Below the Search bar, click the link for +Add Filter
      1. Filter #1
        1. Field = tags
        2. Operator = is not one of
        3. Values = armor_agent, windows, linux, oslogs
          1. Type *armor_agent* and hit enter
          2. Type *windows* and hit enter
          3. Type *linux* and hit enter
          4. Type *oslogs* and hit enter
        4. Hit Save
      2. Filter #2
        1. Field = data.type
        2. Operator = is not one of
        3. Values = trend
          1. Type *trend* and hit enter
        4. Filter #3
          1. Field = log.file.path
          2. Operator = is not one of
          3. Values = /opt/armor/filebeat
            1. Type */opt/armor/filebeat * and hit enter
          4. Hit Save
        5. Hit the Refresh button


Visualization for Non Armor Agent Log Types

  1. In AMP, go to the Log Search screen.
  2. Click on Visualize.
  3. In the New Visualization pop up, select the Data Table visualization option.
  4. Choose a source.
  5. Below the Search bar, click the link for +Add Filter
    1. Filter #1
      1. Field = tags
      2. Operator = is not one of
      3. Values = armor_agent, windows, linux, oslogs
        1. Type *armor_agent* and hit enter
        2. Type *windows* and hit enter
        3. Type *linux* and hit enter
        4. Type *oslogs* and hit enter
      4. Hit Save
    2. Filter #2
      1. Field = data.type
      2. Operator = is not one of
      3. Values = trend
        1. Type *trend* and hit enter
      4. Filter #3
        1. Field = log.file.path
        2. Operator = is not one of
        3. Values = /opt/armor/filebeat
          1. Type */opt/armor/filebeat * and hit enter
        4. Hit Save
      5. Hit the Refresh button
    3. In the Data tab, expand the Metric configuration
      1. In the Aggregation dropdown, select Sum
      2. In the Field dropdown, enter message_size
    4. Under Buckets, click Add
      1. Select Split rows
        1. In the Aggregation dropdown, select Terms
        2. In the Field dropdown, select external_id
      2. Add another Bucket by clicking Add
        1. Select Split rows
          1. In the Sub aggregation dropdown, select Terms
          2. In the Field dropdown, select log.source
  6. Hit Update