Submit a ticketCall us

Training ClassThe Orion® Platform Instructor-led Classes

Provided by SolarWinds® Academy, these trainings will introduce users to the Orion Platform and its features, management, and navigation. These courses are suitable for users looking to discover new tips, tricks, and ways to adapt their Orion products to better suit their monitoring needs:
Deploying the Orion Platform
Configuring Orion views, maps, and accounts
Configuring Orion alerts and reports

Reserve your seat.

Home > Success Center > Log & Event Manager (LEM) > LEM - Knowledgebase Articles > Inconsistent LEM AuditAlert Counts

Inconsistent LEM AuditAlert Counts

Created by Interspire Import, last modified by MindTouch on Jun 23, 2016

Views: 705 Votes: 0 Revisions: 9

Overview

The Log and Event Manager (LEM) AuditAlert count displayed in reporting is different from the AuditAlert count returned after SelectExpert filtering.

 

This inconsistency occurs because:

  • The report returns AuditAlert events AND all events that are children of AuditAlert.
  • The SelectExpert filter returns ONLY AuditAlert events, filtering out other events.

Environment

  • All LEM versions
  • All LEM Reports Console versions

Details

The Event Summary - Top Level Statistics report displays a data count that includes a collective count of all the child alerts for that parent category. This report rolls up the child-to-parent alerts in the overall view. When you apply an expert filter to an alert, the view is limited to that particular Event and none of the child events. 

In the example below, the AuditAlert Event is a parent event that has multiple child events. Let’s assume this alert has three children: AuditAlert (11052), AuthAudit (10000), and PolicyAudit (10000). Added together, these child events make a total of 31052.

lemchildeventtotalsreport.jpg

When the filter {summary.alert_name} = AuditAlert is applied, the filtered report retains the AuditAlert child events in the count and removes the AuthorizationAudit and PolicyAudit child events from the count. So the event count after filtering is 11052, rather than 31052.

Last modified

Tags

Classifications

Public