Submit a ticketCall us

Welcome to the NEW Success Center. Search all resources (documentation, videos, training, knowledge base articles) or browse resources by product. If you are unable to find what you are looking for, please contact us at customersuccess@solarwinds.com

 

 

 

 

Home > Success Center > Log & Event Manager (LEM) > Inconsistent LEM AuditAlert Counts

Inconsistent LEM AuditAlert Counts

Created by Interspire Import, last modified by MindTouch on Jun 23, 2016

Views: 589 Votes: 0 Revisions: 9

Overview

The Log and Event Manager (LEM) AuditAlert count displayed in reporting is different from the AuditAlert count returned after SelectExpert filtering.

 

This inconsistency occurs because:

  • The report returns AuditAlert events AND all events that are children of AuditAlert.
  • The SelectExpert filter returns ONLY AuditAlert events, filtering out other events.

Environment

  • All LEM versions
  • All LEM Reports Console versions

Details

The Event Summary - Top Level Statistics report displays a data count that includes a collective count of all the child alerts for that parent category. This report rolls up the child-to-parent alerts in the overall view. When you apply an expert filter to an alert, the view is limited to that particular Event and none of the child events. 

In the example below, the AuditAlert Event is a parent event that has multiple child events. Let’s assume this alert has three children: AuditAlert (11052), AuthAudit (10000), and PolicyAudit (10000). Added together, these child events make a total of 31052.

lemchildeventtotalsreport.jpg

When the filter {summary.alert_name} = AuditAlert is applied, the filtered report retains the AuditAlert child events in the count and removes the AuthorizationAudit and PolicyAudit child events from the count. So the event count after filtering is 11052, rather than 31052.

Last modified
20:02, 22 Jun 2016

Tags

Classifications

Public