Submit a ticketCall us

Announcing NPM 12.2
With NPM 12.2 you can monitor your Cisco ASA firewalls, to monitor VPN tunnels for basic visibility and troubleshooting tunnels. NPM 12.2 also uses the SolarWinds Orion Installer so you can easily install and upgrade one or more Orion Platform products simultaneously.
See new features and improvements.

Home > Success Center > Log & Event Manager (LEM) > SolarWinds LEM Quick Start and Deployment Guide > Get started > View historical data

View historical data

Created by Caroline Juszczak, last modified by Caroline Juszczak on Aug 05, 2016

Views: 58 Votes: 0 Revisions: 3

You can view all historical events using the nDepth search utility. This utility provides a dashboard with tools to help you search and analyze historical log and event data that pass through a LEM manager.

Using nDepth, you can: 

When you start nDepth, the interface presents 10 minutes of log data generated from your agent and non-agent devices. You can change the time range by clicking the Time drop-down menu in the toolbar and selecting another time range.

The following illustration provides an overview of the nDepth dashboard.

File:Success_Center/Reusable_content_-_InfoDev/LEM/LEMQuickStart/0F0/020/lem_qsg_view_historical_data34_731x394.png

Number Item Description
1 History Displays links to your recent nDepth search results.
2 Saved Searches Displays links to your saved nDepth search results.
3 List pane Displays categorized lists of events, event groups, event variables, and additional options you can use to create conditions for your filters.
4 Search bar Searches all event data or the original log messages that pass through a LEM manager. Drag the toggle switch to select Drag & Drop or Text Search mode.
5 Respond Displays a list of corrective actions you can execute when an event occurs, such as shutting down a workstation or blocking an IP address.
6 Explore Displays several utilities you can use to research an event, including Whois, Traceroute, and NSlookup.
7 Time Provides a drop-down menu to select the time range for your search.
8 Play Executes the selected search.
9 Histogram Displays the number of events or log messages reported within the selected search time range.
10 Dashboard Displays the search results in all available widgets. You can change this view by clicking a widget in the nDepth toolbar.
11 nDepth Toolbar Organizes log data into categories to identify activity in your network. Click a selection to display the category below the histogram.

Search event logs using Search Builder

Search Builder provides a drag-and-drop method to create complex search queries on your event logs.

Using preconfigured elements such as events, event fields, and specific event values, you can drag a selected element from the List pane into the Search Builder Conditions box to perform your query. For example, to search and report activity in your Admin accounts, you can drag a user-defined group or directory service group into the Conditions box to initiate your search. You can also group search items, show boolean (AND/OR) relationships between search items, and select specific values for each item.

  1. Click the Search Builder icon in the nDepth toolbar.

    File:Success_Center/Reusable_content_-_InfoDev/LEM/LEMQuickStart/0F0/020/lem_qsg_view_historical_data3.png

    The Search Builder Conditions box displays in the interface.

    File:Success_Center/Reusable_content_-_InfoDev/LEM/LEMQuickStart/0F0/020/lem_qsg_view_historical_data36.png

  2. In the List pane, click the Events menu and locate UserLogonFailure.

    You can enter a term in the Search field (as shown below) to narrow your search results.

    File:Success_Center/Reusable_content_-_InfoDev/LEM/LEMQuickStart/0F0/020/lem_qsg_view_historical_data4.png

  3. Drag the event into the Search Builder Conditions box.

    File:Success_Center/Reusable_content_-_InfoDev/LEM/LEMQuickStart/0F0/020/lem_qsg_view_historical_data5.png

    Your selection also displays in the Search bar. Drag the toggle switch down to view the event name in text.

    File:Success_Center/Reusable_content_-_InfoDev/LEM/LEMQuickStart/0F0/020/lem_qsg_view_historical_data11.png

  4. (Optional) A second menu may appear that provides additional fields to narrow your search. Drag a field from the Fields list into Search Builder to narrow your search.

    File:Success_Center/Reusable_content_-_InfoDev/LEM/LEMQuickStart/0F0/020/lem_qsg_view_historical_data8.png

    Mouse over File:Success_Center/Reusable_content_-_InfoDev/LEM/LEMQuickStart/0F0/020/lem_qsg_view_historical_data6.png for additional information.

  5. (Optional) Click the triangle on the right side of the Conditions box and select the boolean logic for your search.

    File:Success_Center/Reusable_content_-_InfoDev/LEM/LEMQuickStart/0F0/020/lem_qsg_view_historical_data37_277x137.png

    File:Success_Center/Reusable_content_-_InfoDev/LEM/LEMQuickStart/0F0/020/lem_qsg_view_historical_data38_279x137.png

    The Search box synchronizes with the Search Builder.

  6. Click the Time drop-down menu and select a time span for your search.

    File:Success_Center/Reusable_content_-_InfoDev/LEM/LEMQuickStart/0F0/020/lem_qsg_view_historical_data9.png

  7. Click File:Success_Center/Reusable_content_-_InfoDev/LEM/LEMQuickStart/0F0/020/lem_qsg_view_historical_data10.png to begin your search.

    Your search results display in the histogram and your dashboard widgets, such as Word Cloud and Tree Map. Click the nDepth toolbar options to display your search results in additional formats, such as line, pie, and bubble charts.

Search event logs using a keyword

If you cannot locate the information you need using Search Builder, you can enter a search term in the Search field to initiate a keyword search. This method displays all events that include your search term, such as a user name.

This example searches events that occurred within the last week that include administrator in the event.

  1. Click File:Success_Center/Reusable_content_-_InfoDev/LEM/LEMQuickStart/0F0/020/lem_qsg_view_historical_data21.png in the Search bar to clear an existing search (if applicable).
  2. Drag the toggle switch down to enter the Text Input mode.

    File:Success_Center/Reusable_content_-_InfoDev/LEM/LEMQuickStart/0F0/020/lem_qsg_view_historical_data22.png

  3. Enter a search term in the Search field.

    File:Success_Center/Reusable_content_-_InfoDev/LEM/LEMQuickStart/0F0/020/lem_qsg_view_historical_data23.png

  4. Click the Time drop-down menu and select a time span for your search.

    File:Success_Center/Reusable_content_-_InfoDev/LEM/LEMQuickStart/0F0/020/lem_qsg_view_historical_data9.png

  5. Click File:Success_Center/Reusable_content_-_InfoDev/LEM/LEMQuickStart/0F0/020/lem_qsg_view_historical_data10.png to begin your search.
  6. Click Refine Fields in the List pane.

    Your search results appear in the histogram and your dashboard widgets, such as Word Cloud and Tree Map. Click the nDepth toolbar options to display your data in additional formats, such as line, pie, and bubble charts.

Refine your search

The Refine Fields pane organizes your search results into categories that help you surface embedded data and prompt further investigation. Use this option in conjunction with the Results Details pane to refine your search.

This example searches all log on failure events that occurred within the last 10 minutes that include administrator as the user name.

  1. Click Refine Fields in the List pane.

    File:Success_Center/Reusable_content_-_InfoDev/LEM/LEMQuickStart/0F0/020/lem_qsg_view_historical_data18.png

  2. Click Results Details in the nDepth toolbar.

    File:Success_Center/Reusable_content_-_InfoDev/LEM/LEMQuickStart/0F0/020/lem_qsg_view_historical_data13.png

    The Results Details pane displays in the nDepth interface.

  3. In the Refine Fields pane, maximize the User Name menu and double-click administrator.

    File:Success_Center/Reusable_content_-_InfoDev/LEM/LEMQuickStart/0F0/020/lem_qsg_view_historical_data19.png

  4. Click the Time drop-down menu and select a time span for your search.

    File:Success_Center/Reusable_content_-_InfoDev/LEM/LEMQuickStart/0F0/020/lem_qsg_view_historical_data9.png

  5. Click File:Success_Center/Reusable_content_-_InfoDev/LEM/LEMQuickStart/0F0/020/lem_qsg_view_historical_data10.png to begin your search.

    nDepth displays the results in the Results Details pane.

    File:Success_Center/Reusable_content_-_InfoDev/LEM/LEMQuickStart/0F0/020/lem_qsg_view_historical_data20_605x136.png

To begin a new search, revert to your original search in the History pane to start a new search using your original search parameters.

Save a search

You can save and reuse any search you create. Saved searches include your entire search string as well as the selected time frame.

  1. Click File:Success_Center/Reusable_content_-_InfoDev/LEM/LEMQuickStart/0F0/020/Icon-black-gear-drop-down_21x16.png in the nDepth toolbar and select Save as.
  2. Enter a name for your search in the Search Name field.

    File:Success_Center/Reusable_content_-_InfoDev/LEM/LEMQuickStart/0F0/020/lem_qsg_view_historical_data40_356x83.png

  3. Click OK.

    Your saved search displays in the Saved Searches pane.

    File:Success_Center/Reusable_content_-_InfoDev/LEM/LEMQuickStart/0F0/020/lem_qsg_view_historical_data39.png

Schedule a search

You can schedule a saved search to run automatically based on your schedule parameters. This will help you monitor your network with minimal administration.

If your virtual appliance is offline for more than 24 hours, all scheduled searches may not run at the expected time. When the appliance is back online, all scheduled searches return to normal after 24 hours.

  1. Select a saved search in the Save Searches pane.

    File:Success_Center/Reusable_content_-_InfoDev/LEM/LEMQuickStart/0F0/020/lem_qsg_view_historical_data31.png

  2. Click File:Success_Center/Reusable_content_-_InfoDev/LEM/LEMQuickStart/0F0/020/Icon-black-gear-drop-down_21x16.png in the Saved Searches toolbar and click Schedule.
  3. Complete the selections in the dialog box and click OK.

    File:Success_Center/Reusable_content_-_InfoDev/LEM/LEMQuickStart/0F0/020/lem_qsg_view_historical_data30_362x154.png

    The File:Success_Center/Reusable_content_-_InfoDev/LEM/LEMQuickStart/0F0/020/lem_qsg_view_historical_data33.png icon displays next to your scheduled search.

    File:Success_Center/Reusable_content_-_InfoDev/LEM/LEMQuickStart/0F0/020/lem_qsg_view_historical_data32.png

Export your search results

You can export your search results to a PDF or CSV based on the number of events or log messages included in your nDepth search results.

If your search results include up to 25,000 events or log messages, export your search results to a PDF file. If your search results include more than 25,000 events or log messages, export your search results to a spreadsheet in CSV format.

Export to a PDF file

  1. Click File:Success_Center/Reusable_content_-_InfoDev/LEM/LEMQuickStart/0F0/020/Icon-black-gear-drop-down_21x16.png in the nDepth toolbar and click Export.
  2. Remove any pages as required.

    File:Success_Center/Reusable_content_-_InfoDev/LEM/LEMQuickStart/0F0/020/lem_qsg_view_historical_data25_245x44.png

  3. Click File:Success_Center/Reusable_content_-_InfoDev/LEM/LEMQuickStart/0F0/020/lem_qsg_view_historical_data26_13x16.png to add a page or click File:Success_Center/Reusable_content_-_InfoDev/LEM/LEMQuickStart/0F0/020/lem_qsg_view_historical_data27_23x14.png to adjust the page layout to Portrait or Landscape.

  4. Click Export to PDF.

    nDepth prepares the PDF.

    File:Success_Center/Reusable_content_-_InfoDev/LEM/LEMQuickStart/0F0/020/lem_qsg_view_historical_data28_236x56.png

  5. Click Yes to confirm the export.

    File:Success_Center/Reusable_content_-_InfoDev/LEM/LEMQuickStart/0F0/020/lem_qsg_view_historical_data29_235x103.png

  6. Select a file location in the Save As dialog box and click Save.

    Your PDF file is saved.

Export to a CSV file

  1. Click File:Success_Center/Reusable_content_-_InfoDev/LEM/LEMQuickStart/0F0/020/Icon-black-gear-drop-down_21x16.png in the Results Details toolbar and click Export to CSV.
  2. Click Yes to confirm your export.
  3. Select a file location in the Save As dialog box and click Save.

    Your CSV file is saved.

 
Last modified
12:35, 5 Aug 2016

Tags

Classifications

Public