Table of Contents | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|
|
In Log Search, users can create queries and visualizations to better understand how Armor bills against log usage. Users will want to review usage for both Agent and non-Agent log types.
Query
...
For Armor Agent Log Types
...
To query Armor Agent log types:
In AMP, go to the Log Search screen.
Click on Discover.
Use the Change Index Pattern dropdown to view all customer accounts under your Partner account.
Click the View drop down, and change the Index Pattern to (Account ID)_partner.
Below the Search bar, click the link for +Add Filter
Field = tenant.id
Operator = is
Value = (Partner Customer Account ID)
Below the Search bar, click the link for +Add Filter
Filter #1
Field = tags
Operator = is one of
Values = armor agent, oslogs
Type *armor_agent* and hit enter
Type *oslogs* and hit enter
Hit Save
Filter #2
Field = tags
Operator = is one of
Values = windows, linux
Type *windows* and hit enter
Type *linux* and hit enter
Hit Save
Hit the Refresh button
Visualization
...
For Armor Log Types
...
To create a visualization for Armor Agent log types:
In AMP, go to Log Search screen.
Click on Visualize
In the New Visualization pop up, select the Data Table visualization option.
Choose a source.
Below the Search bar, click the link for +Add Filter
Filter #1
Field = tags
Operator = is one of
Values = armor agent, oslogs
Type *armor_agent* and hit enter
Type *oslogs* and hit enter
Hit Save
Filter #2
Field = tags
Operator = is one of
Values = windows, linux
Type *windows* and hit enter
Type *linux* and hit enter
Hit Save
Hit the Refresh button
In the Data tab, expand the Metric configuration
In the Aggregation dropdown, select Sum
In the Field dropdown, enter message_size
Under Buckets, click Add
Select Split rows
In the Aggregation dropdown, select Terms
In the Field dropdown, select external_id
Add another Bucket by clicking Add
Select Split rows
In the Sub aggregation, select Terms
In the Field dropdown, select winevent.log.source
Hit Update
Query For Non Armor Agent Log Types
...
In AMP, go to the Log Search screen.
Click on Discover.
Use the Change Index Pattern dropdown to view all customer accounts under your Partner account.
Click the View drop down, and change the Index Pattern to (Account ID)_partner.
Below the Search bar, click the link for +Add Filter
Field =
tenant.id
Operator = is
Value = (Partner Customer Account ID)
Below the Search bar, click the link for +Add Filter
Filter #1
Field = tags
Operator = is not one of
Values = armor_agent, windows, linux, oslogs
Type *armor_agent* and hit enter
Type *windows* and hit enter
Type *linux* and hit enter
Type *oslogs* and hit enter
Hit Save
Filter #2
Field = data.type
Operator = is not one of
Values = trend
Type *trend* and hit enter
Filter #3
Field = log.file.path
Operator = is not one of
Values = /opt/armor/filebeat
Type */opt/armor/filebeat * and hit enter
Hit Save
Hit the Refresh button
Visualization For Non Armor Agent Log Types
...
In AMP, go to the Log Search screen.
Click on Visualize.
In the New Visualization pop up, select the Data Table visualization option.
Choose a source.
Below the Search bar, click the link for +Add Filter
Filter #1
Field = tags
Operator = is not one of
Values = armor_agent, windows, linux, oslogs
Type *armor_agent* and hit enter
Type *windows* and hit enter
Type *linux* and hit enter
Type *oslogs* and hit enter
Hit Save
Filter #2
Field = data.type
Operator = is not one of
Values = trend
Type *trend* and hit enter
Filter #3
Field = log.file.path
Operator = is not one of
Values = /opt/armor/filebeat
Type */opt/armor/filebeat * and hit enter
Hit Save
Hit the Refresh button
In the Data tab, expand the Metric configuration
In the Aggregation dropdown, select Sum
In the Field dropdown, enter message_size
Under Buckets, click Add
Select Split rows
In the Aggregation dropdown, select Terms
In the Field dropdown, select external_id
Add another Bucket by clicking Add
Select Split rows
In the Sub aggregation dropdown, select Terms
In the Field dropdown, select log.source
Hit Update