TIBCO LogLogic Unity Tutorials · 2016. 2. 17. · 2 - 4 explained in the earlier steps 16.Create Rule 2. a) In the Parsing rules panel, click Add new rule to add a new parsing rule

TIBCO LogLogic® Unity TutorialsSoftware Release 2.3February 2016

Two-Second Advantage®

Important Information

SOME TIBCO SOFTWARE EMBEDS OR BUNDLES OTHER TIBCO SOFTWARE. USE OF SUCHEMBEDDED OR BUNDLED TIBCO SOFTWARE IS SOLELY TO ENABLE THE FUNCTIONALITY(OR PROVIDE LIMITED ADD-ON FUNCTIONALITY) OF THE LICENSED TIBCO SOFTWARE. THEEMBEDDED OR BUNDLED SOFTWARE IS NOT LICENSED TO BE USED OR ACCESSED BY ANYOTHER TIBCO SOFTWARE OR FOR ANY OTHER PURPOSE.

USE OF TIBCO SOFTWARE AND THIS DOCUMENT IS SUBJECT TO THE TERMS ANDCONDITIONS OF A LICENSE AGREEMENT FOUND IN EITHER A SEPARATELY EXECUTEDSOFTWARE LICENSE AGREEMENT, OR, IF THERE IS NO SUCH SEPARATE AGREEMENT, THECLICKWRAP END USER LICENSE AGREEMENT WHICH IS DISPLAYED DURING DOWNLOADOR INSTALLATION OF THE SOFTWARE (AND WHICH IS DUPLICATED IN THE LICENSE FILE)OR IF THERE IS NO SUCH SOFTWARE LICENSE AGREEMENT OR CLICKWRAP END USERLICENSE AGREEMENT, THE LICENSE(S) LOCATED IN THE “LICENSE” FILE(S) OF THESOFTWARE. USE OF THIS DOCUMENT IS SUBJECT TO THOSE TERMS AND CONDITIONS, ANDYOUR USE HEREOF SHALL CONSTITUTE ACCEPTANCE OF AND AN AGREEMENT TO BEBOUND BY THE SAME.

This document contains confidential information that is subject to U.S. and international copyright lawsand treaties. No part of this document may be reproduced in any form without the writtenauthorization of TIBCO Software Inc.

TIBCO, LogLogic, and Two-Second Advantage are either registered trademarks or trademarks ofTIBCO Software Inc. in the United States and/or other countries.

Enterprise Java Beans (EJB), Java Platform Enterprise Edition (Java EE), Java 2 Platform EnterpriseEdition (J2EE), and all Java-based trademarks and logos are trademarks or registered trademarks ofOracle Corporation in the U.S. and other countries.

All other product and company names and marks mentioned in this document are the property of theirrespective owners and are mentioned for identification purposes only.

THIS SOFTWARE MAY BE AVAILABLE ON MULTIPLE OPERATING SYSTEMS. HOWEVER, NOTALL OPERATING SYSTEM PLATFORMS FOR A SPECIFIC SOFTWARE VERSION ARE RELEASEDAT THE SAME TIME. SEE THE README FILE FOR THE AVAILABILITY OF THIS SOFTWAREVERSION ON A SPECIFIC OPERATING SYSTEM PLATFORM.

THIS DOCUMENT IS PROVIDED “AS IS” WITHOUT WARRANTY OF ANY KIND, EITHEREXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OFMERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT.

THIS DOCUMENT COULD INCLUDE TECHNICAL INACCURACIES OR TYPOGRAPHICALERRORS. CHANGES ARE PERIODICALLY ADDED TO THE INFORMATION HEREIN; THESECHANGES WILL BE INCORPORATED IN NEW EDITIONS OF THIS DOCUMENT. TIBCOSOFTWARE INC. MAY MAKE IMPROVEMENTS AND/OR CHANGES IN THE PRODUCT(S)AND/OR THE PROGRAM(S) DESCRIBED IN THIS DOCUMENT AT ANY TIME.

THE CONTENTS OF THIS DOCUMENT MAY BE MODIFIED AND/OR QUALIFIED, DIRECTLY ORINDIRECTLY, BY OTHER DOCUMENTATION WHICH ACCOMPANIES THIS SOFTWARE,INCLUDING BUT NOT LIMITED TO ANY RELEASE NOTES AND "READ ME" FILES.

Copyright © 2014-2016 TIBCO Software Inc. All rights reserved.

TIBCO Software Inc. Confidential Information

2

TIBCO LogLogic® Unity Tutorials

Contents

TIBCO Documentation and Support Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4

Installing Sample Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Importing File Data into LogLogic Unity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6

Creating a Regular Expression Source Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Running a Search Using Smart Lists to Identify Target IP Addresses That Have Been Blacklisted . . . . . . .10

Create a Smart List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10

Using a Smart List in a Search . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Editing a Smart List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11

Creating a Correlation Blok on Linux Login Data to Track Failed Logins Followed by Successful Login . .12

Alerting on Failed Logins Across Multiple Applications and Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Activating a Saved Trigger . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15

Creating a TIBCO Hawk Collector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Creating a Dashboard Using TIBCO Hawk Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

Creating a Gauge Widget . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19

Creating a Pie Widget . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

Creating a Number Widget . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Creating a Line Widget . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

3


TIBCO Documentation and Support Services

Documentation for this and other TIBCO products is available on the TIBCO Documentation site. Thissite is updated more frequently than any documentation that might be included with the product. Toensure that you are accessing the latest available help topics, please visit:

https://docs.tibco.com

Product-Specific Documentation

Documentation for TIBCO products is not bundled with the software. Instead, it is available on theTIBCO Documentation site. To directly access documentation for this product, double-click thefollowing file:

TIBCO_HOME/release_notes/TIB_logu_version_docinfo.html

where TIBCO_HOME is the top-level directory in which TIBCO products are installed. On Windows,the default TIBCO_HOME is C:\tibco. On UNIX systems, the default TIBCO_HOME is /opt/tibco.The following documents for this product can be found in the TIBCO Documentation site:

● TIBCO LogLogic® Unity Installation and Configuration Guide

● TIBCO LogLogic® Unity User's Guide

● TIBCO LogLogic® Unity Developer's Guide

● TIBCO LogLogic® Unity Tutorials

How to Contact TIBCO Support

For comments or problems with this manual or the software it addresses, contact TIBCO Support:

● For an overview of TIBCO Support, and information about getting started with TIBCO Support,visit this site:

http://www.tibco.com/services/support

● If you already have a valid maintenance or support contract, visit this site:

https://support.tibco.com

Entry to this site requires a user name and password. If you do not have a user name, you canrequest one.

How to Join TIBCOmmunity

TIBCOmmunity is an online destination for TIBCO customers, partners, and resident experts. It is aplace to share and access the collective experience of the TIBCO community. TIBCOmmunity offersforums, blogs, and access to a variety of resources. To register, go to the following web address:

https://www.tibcommunity.com

4


https://docs.tibco.com

http://www.tibco.com/services/support

https://support.tibco.com

https://www.tibcommunity.com

Installing Sample Logs

The sample logs needed to go with the following tutorials are packaged with the installers, and areloaded automatically on systems using the "standalone" configuration profile. Use the following stepsto load these sample logs if you wish to use the tutorials on systems using the "distributed"configuration profile.

Prerequisites

Install, configure and start up TIBCO LogLogic Unity as described in the Installation Guide.

Procedure

1. Open a command window and login as a non-root user.

2. Run the following commands:

cd $TIBCO_HOME/logu/<version>/tools/samples auth/loadSample.sh sys/loadSample.sh vmstat/loadSample.shsample/loadSample.sh

Where: $TIBCO_HOME is the folder where TIBCO LogLogic Unity was installed.

5


Importing File Data into LogLogic Unity

You can import text data files directly into LogLogic Unity.

Procedure

1. Log into the LogLogic Unity Web UI by entering your credentials.

2. Click the Import button located on the upper-right corner of the toolbar.

3. From the Upload and import file drop-down menu, select the Choose file button.

4. Import data into LogLogic Unity by browsing to and selecting the file you want to import, andselect Open.The Imports events from file window is displayed.

5. Select your Source configuration from the drop-down menu as System.

6. Select a Timestamp format.

Review the Preview parsed data section and validate the timestamp format is being definedcorrectly.

7. Define the optional Year field.

This can be used when the timestamps in the data do not contain a year, for example, syslog data.

8. Select your Time zone.All data is stored in UTC. Timezone will tell the system what timezone the log data comes from, soit can properly convert that data into UTC making searches and alerts accurate.

9. Select the Domain from the drop-down menu. By default, shared is selected. You can create a newdomain by clicking the Create new domain link.

10. Enter the Source IP address as 10.5.1.1.

11. Enter the Source type as 30000.

12. Click the Import button.You can monitor the status of your import from the Upload and import file drop-down menu.

6


Creating a Regular Expression Source Configuration

LogLogic Unity can use regular expressions for extracting columns from matched logs (events).

Procedure

1. Log into the LogLogic Unity Web UI by entering your credentials.

2. Make sure that the data file has been imported into LogLogic Unity as described in the ImportingFile Data into LogLogic Unity tutorial.

3. In the Search field, enter the following search query:use system | sys_collectIP = "10.5.1.1"

Based on your search query, the retrieved results are displayed on the Data panel.

4. Click located on the upper-right corner of the Data panel to add a new source configuration.

5. Enter the name Hawk in the Name field.

6. Enter the description in the Description field. This is an optional field.

7. In the 1. Create source filter field, the source filter statement is populated.

8. Click 2. Add sample events and parsing rules to define a parsing rule.

9. In the Parsing rules panel, click Add new rule to add a new parsing rule.You can add multiple rules for the same source configuration.

10. Enter the name of the rule as alert _cleared in the Name field.

11. Enter the filter as ALERT_CLEARED in the Filter field.

12. From the Choose parser list, select the Regex parser.

13. In the Regex pattern field, enter the following statement:(?<Action>\w+)\s:\s\w+=\{\s\w+-\w+=(?<Host>\S+),\s\w+=(?<DNS>\w+),\s\w+-\w+=(?

<HostIP>[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}),\s\w+-\w+=(?<NetworkIP>[0-9]

{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3})\s\}\s\S+=(?<AlertID>\d+),\s\w+=(?<Reason>

\D+)##.*

14. Click Auto generate columns to extract columns based on the regex groups defined as per theRegex pattern above.

You can now see colored highlighting in the Sample events panel for any event that matches thisnew rule and the parsed events in the Parser preview panel.

7


15. Click to add a new parsing rule.The Parsing rules panel displays the newly added rule. Now, let us create more parsing rules Rule2 - 4 explained in the earlier steps

16. Create Rule 2.a) In the Parsing rules panel, click Add new rule to add a new parsing rule.b) Enter the name of the rule as alert _received in the Name field.c) Enter the filter as ALERT_RECEIVED in the Filter field.d) From the Choose parser list, select the Regex parser.e) In the Regex pattern field, enter the following statement:

(?<Action>\w+)\s:\s\w+=\{\s\w+=\{\s\w+-\w+=(?<Host>\w+),\s\w+=(?<DNS>\w+),\s\w

+-\w+=(?<HostIP>[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}),\s\w+-\w+=(?

<NetworkIP>[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3})\s\},\s\w+-\w+=(?

<AlertID>\d+),\s\w+=(?<Rulebase>\S+),\s\D+=(?<AlertState>\d+),\s\D+=(?

<AlertText>.*),\s\D+=(?<TimeReceived>\w{3}\s\w{3}\s\d{1,2}\s\d{1,2}:\d{1,2}:

\d{1,2}\s\w{3}\s\d{4}).*

f) Click Auto generate columns to extract columns based on the regex groups defined as per theRegex pattern above.

g) Click to add a new parsing rule.

17. Create Rule 3.a) In the Parsing rules panel, click Add new rule to add a new parsing rule.b) Enter the name of the rule as microagent in the Name field.c) Enter the filter as MICROAGENT in the Filter field.d) From the Choose parser list, select the Regex parser.e) In the Regex pattern field, enter the following statement:

(?<Action>\w+)\s:\s\w+=\{\s\w+-\w+=(?<Host>\S+),\s\w+=(?<DNS>\w+),\s\w+-\w+=(?

<HostIP>[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}),\s\w+-\w+=(?

<NetworkIP>[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3})\s\},\s\w+=(?

<MicroAgentID>\S+).*


8



18. Create Rule 4.a) In the Parsing rules panel, click Add new rule to add a new parsing rule.b) Enter the name of the rule as rulebase in the Name field.c) Enter the filter as RULEBASE_STATE_CHANGED in the Filter field.d) From the Choose parser list, select the Regex parser.e) In the Regex pattern field, enter the following statement:

(?<Action>\w+)\s:\s\w+=\{\s\w+-\w+=(?<Host>\S+),\s\w+=(?<DNS>\w+),\s\w+-\w+=(?

<HostIP>[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}),\s\w+-\w+=(?

<NetworkIP>[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3})\s\},\s\w+=(?<Rulebase>

\S+),\s\S+=(?<NewRulebaseState>\d+).*



19. Click 3. Review configuration or click located on the right side of the page to manage columns.

20. In the Columns panel, you can change data types for custom columns by clicking in the Type fieldand selecting the data type from the list. Change the HostIP and NetworkIP columns data type toINET_ADDR.

21. Click Save.You can now test your source configuration by running a search query.

22. In the Search field enter: use HawkAll parsed results are displayed on the Results tab.

9


Running a Search Using Smart Lists to Identify Target IPAddresses That Have Been Blacklisted

Running searches is often a very static experience. Users will search for key words or phrases that theyknow in order to return specific results. Sometimes the data they want to see is more dynamic bynature and changes often. In this example an admin needs to review log messages that are sourced ordestined for any IP that is part of the international blacklist. Since this list is changing and not knownby most administrators, it is difficult to create a query that would collect the right information. By usinga dynamic list, the administrator would be able to reference this changing list in any saved query orcorrelation rule to accurately achieve results.

Create a Smart List

Create a smartlist configuration file that will list IP addresses that are a part of your blacklist.

Procedure

1. Create a smartlist configuration file, a sample file is provided below:

{"configurations": [ {"smartListConfig": { "name": "ipBlackList", "valueType": "string", "mappings": { "10.97.170.168": "blacklist", "10.92.102.114": "blacklist", "10.40.223.175": "blacklist" } } } ]}

2. Save your file using the following naming convention:<filename>.conf

3. To insert the blacklist using the llconf tool, CD to $TIBCO_HOME/logu/<version>/tools/bin anduse the following command:./llconf -f <filename>.conf

Using a Smart List in a Search

Use the following steps to view your data.

Procedure

● From the Search tab, you can easily interact with your data by running the following query:use sample | $ipBlackList(ll_sourceIP)='blackList' | sys_domain = 'samples'

10


Editing a Smart List

The following steps can be used to modify a pre-existing Smart List.

Procedure

1. Open your pre-configured Smart List .

2. Edit the IP addresses as needed and save your updates.

3. You must re-insert the black list using the llconf tool, CD to $TIBCO_HOME/logu/<version>/tools/bin and use the following command:./llconf -f <filename>.conf

Your Smart List will now be updated.

11


Creating a Correlation Blok on Linux Login Data to TrackFailed Logins Followed by Successful Login

Creating a Blok as defined in the procedure below, will help you to defend against brute force attemptson any system within an environment. Most users can fail a login a few times in a row. Scripts todayare intelligent enough to attempt to login a few times then wait and try a few more times attempting tomimic standard behavior. This becomes difficult to prevent since most authentication policies willallow for a few failed attempts every 15 minutes before resetting. By setting up a rule to monitor thistype of behavior an admin can define a time window and a threshold to monitor for failed attemptsfollowed by a successful attempt. The admin can perform this over a period of time to determine if anybreach happened before they had an alert in place to monitor systems.

Prerequisites

● Collect data using a product running LMI 5.5.1 or higher, or use the sample file loaded as describedin Installing Sample Logs.

● If you are using custom data, create a new source configuration and map columns to columns in theLogLogic Schema

Procedure

1. From the Search tab, click located next to the Search field and select New Blok.

2. In the Add new Blok window, enter information in the following fields:a) Blok type - From the drop-down menu select Correlation.b) Name - Enter the name of the Correlation. It must be a unique name that consists of a single

word with no special characters or spaces.c) Description - Enter the description of the Blok.d) Source Statement - Enter the query using the Event Correlation Language. Make sure to enter a

valid syntax. If custom data is being used, replace "Use sample" in the statement below with thename of the new source configuration.Use sampleWithin 1hEvent Group LoginFailedAt Least 1 EventsWhere ll_eventActionID = "2" And ll_eventStatusID = "4"With The Same ll_targetUserHaving At Least 1 Distinct ll_sourceDomain Limit 1000Limits 10000 Groups And 100000 EventsEvent Group LoginSuccessAt Least 1 EventsWhere ll_eventActionID = "2" And ll_eventStatusID = "3"With The Same ll_targetUserLimits 10000 Groups And 100000 EventsCorrelationLoginFailed->ll_targetUser == LoginSuccess->ll_targetUserLoginSuccess After LoginFailed

3. Click Validate to verify the statement.

12


4. Click Save to save the new Blok.

13


Alerting on Failed Logins Across Multiple Applicationsand Systems

Used with the correlation Blok for login data created in the previous procedure this will allow anyorganization to proactively monitor login activity and review any suspected breaches. Each suspectedbreach will then be acknowledged and notated for future review as needed.

Prerequisites

● Follow the steps for Creating a Correlation Blok on Linux Login Data to Track Failed LoginsFollowed by a Successful Login

Procedure

1. On the toolbar, click the Administration icon to display the Administration overview landingpage.

2. From the Administration overview landing page, click the Triggers link in the Rules panel.

3. From the Triggers page, click to add a new trigger.

4. In the Trigger details section, enter the following information:a) Trigger name - The name of the trigger.b) Description - The description of the trigger.c) Severity - Select the severity of the trigger from the drop-down menu.d) Category - Select the category of the trigger from the drop-down menu.

5. Select the Correlation Blok created in the Creating a Correlation Blok on Linux Login Data to TrackFailed Logins Followed by a Successful Login tutorial.

14


6. Optional: In the Notifications section, enter the following information:a) To - The email address of the person who should receive an alert email. Using the comma (,)

separator, you can add multiple recipients.b) Subject - The subject of the email.c) Message - The description of the alert. You can use the defined variables from the list on the

right side. Double-click on the variable to add it into the Body field. The variables may changebased on your data. Click to add a new notification. You can add multiple notifications for asingle trigger.

7. In the Configure notifications section, accept the system defaults.

8. Click Save to add a new trigger. The newly added trigger is displayed on the Trigger managementpage.

Activating a Saved Trigger

After saving the previous tutorial follow the steps below to activate your trigger.

Procedure

1. On the Triggers page, click on the Deploy all triggers icon to activate your trigger.

2. In the Sync triggers window, select Sync.

3. Click Save to upload the trigger into memory and activate it.Alerts can be viewed from the Alerts tab.

15


Creating a TIBCO Hawk Collector

You can configure various data sources from which machine data can be collected and fed intoLogLogic Unity for further analysis.

TIBCO Hawk® is an event-based monitoring system built for managing distributed applications andoperating systems. TIBCO Hawk uses TIBCO Messaging software for communication and inheritsmany of its benefits. You can choose one primary message transport mechanisms (TIBCO Rendezvous®TIBCO Enterprise Messaging Service™) or to communicate between TIBCO Hawk deployment andLogLogic Unity.

By default, a disabled DefaultHawkCollector is visible in the system. Make sure to enable the collector forexisting Hawk deployments that have correct message transport settings configured. If you do not haveany existing Hawk deployments, you must manually configure the Hawk connector node. Forinstructions on how to configure the Hawk connector node, see TIBCO LogLogic® Unity Installationand Configuration Guide.

Prerequisites

● TIBCO Hawk 4.9.1 and above must be installed and configured to connect via local or remoteconnection to LogLogic Unity.

For more details about TIBCO Hawk, refer to the TIBCO Hawk documentation.

Procedure

1. On the toolbar, click the Administration icon to display the Administration overview landingpage.

2. From the Administration overview landing page, click the Collectors link.

3. From the Collector management page, click to add a new collector.

4. Enter the collector name in the Name field.

5. From the Type of collector list, select Hawk.

6. Enter the description in the Description field.

7. Enter the Hawk domain name in the Hawk Domain field.

8. From the Message Transport list, select TIBCO Rendezvous (RV).

9. Define the following fields:

Field Description

Service This instructs the Rendezvous daemon to use this service whenever itconveys messages on this transport. You can specify the port number asthe service to be used, for example, "7474".

Network This instructs the Rendezvous daemon to use a particular network for allcommunications involving this transport. The network parameter consistsof up to three parts, separated by semicolons: network, multicast groups,and send address.

16


Field Description

Daemon This instructs the transport creation function about how and where to findthe Rendezvous daemon and establish communication. For remotedaemons, specify two parts (introducing the remote host name as the firstpart), for example, tcp:7474: Remote host name; Port number.

10. Select the Enable Hawk Alert/Subscription Data Collection check box to enable the TIBCO Hawkdata (Alerts, Subscription, and Events) collection into the LogLogic Unity system.

11. Select from the Unity Domain list of pre-configured domains where events should be stored

12. Click Test to test the connection.After the successful connection, the new collector can be added.

13. Click Save to add a new collector.The newly added collector is displayed on the Collector management page.

17


Creating a Dashboard Using TIBCO Hawk Events

Prerequisites

● Make sure that you can access the collected TIBCO Hawk data. For details, see Creating a TIBCOHawk Collector tutorial.

Procedure

1. On the main header, click the Dashboard link to display the Dashboard landing page.

2. From the Dashboard page, click to add a new dashboard.

3. To define the dashboard name, click on the Untitled dashboard link to open a field and enter thename of the dashboard in the field.

4. From the Widget type panel, click on a type of widget that you want to add on the dashboard.The following widget types are available:

● Line: provides results in the form of a line chart

● Bar: provides results in the form of a bar chart

● Pie: provides results in the form of a pie chart

● Number: provides a total count of the results

● Gauge: provides a total count of the results

● Stacked Column: provides comparison in the form of a column chart

● Combined: provides combination results in the form of pie, column, and line chart

5. To define the widget name, click on the Untitled widget link to open a field and enter the name of thewidget in the field.

6. To configure each type of widget, click the Configure link or click . The Settings icon isdisplayed on the upper-right corner when you hover over the widget panel.

18


Creating a Gauge Widget

Procedure

1. Select the Gauge widget type and enter the following configuration options:

Field Description

Query Enter a search query.

use Hawk_getTunableInfo | COLUMNS [Inodes Allocated]

Time You can enter absolute and relative time ranges. Click toopen a window that allows you to define a time range.

-10y

Show value of Define the column name. As you start typing in the field, theavailable matching column names are displayed. Choose thecolumn name from the list.

Inodes Allocated

Unit Define the appropriate unit. As you start typing in the field, theavailable units are displayed. Choose the appropriate option orenter the desired unit.

Range Define the range.

0 to 20000

Threshold Define the threshold range.

7000 and 8000

Auto refresh Click the slider to ON to refresh the widget. By default, it is setto OFF.

Refresh widget Enter a time interval to refresh the widget. Refresh action startsafter the data is completely retrieved and displayed.

2. Click Save to save the widget.The widget is added and the retrieved results are displayed on the dashboard.

19


Creating a Pie Widget

Procedure

1. Select the Pie widget type and enter the following configuration options:

Field Description

Query Enter the search query.

USE Hawk_getMemberStatisticsAll | COLUMNS MemberName asAgent, max(Entries) as Entries | MemberName CONTAINS'seeder' | GROUP BY MemberName

Time You can enter absolute and relative time ranges. Click toopen a calendar for you to select a time range.

-20m

Slice name Define the column name. If the column name is alreadydefined in the search query, the Slice name column is auto-populated. Otherwise, as you start typing in the field, theavailable matching column names are displayed. Choose thecolumn name to define the slice of the pie.

Agent

Slice value The slice value of the pie.

Entries

Show up to Enter a number of slices to be displayed on the pie.

4



20



Creating a Number Widget

Procedure

1. Select the Number widget type and enter the following configuration options:

Field Description


use Hawk_getInstanceCountByCommand | COLUMNS [ProcessCount]


-10m

Show value of Define the column name. As you start typing in the field, theavailable matching column names are displayed. Choose thecolumn name from the list.

Process Count

Unit Define the appropriate unit. As you start typing in the field, theavailable units are displayed. Choose the appropriate option orenter the desired unit.

Description Enter the widget description this is displayed below thenumber.

21


Field Description

Threshold Define the threshold value. When the number is below thethreshold value, the font color changes to green and when thenumber is above the threshold value, the font color changes tored.

1000


5 seconds



Creating a Line Widget

Procedure

1. Select the Line widget type and enter the following configuration options:

Field Description


use Hawk_getStatistics | COLUMNS sys_eventTime, [InputPackets], [Output Packets]


-10m

22


Field Description

X-axis Define the column name. If the column names are alreadydefined in the search query, the X-axis column is auto-populated. Otherwise, as you start typing in the field, theavailable matching column names are displayed. Choose thecolumn name to define the X-axis of the line chart.

sys_eventTime

X-axis label Define the label name for the X-axis that is displayed on thechart.

Y-axis Define the column name. If the column names are alreadydefined in the search query, the Y-axis column is auto-populated. Otherwise, as you start typing in the field, theavailable matching column names are displayed. Choose thecolumn name to define the Y-axis of the line chart.

Input Packetsand Output Packets

Y-axis label Define the label name for the Y-axis that is displayed on thechart.

Categorize by Define the column name by which the Y-axis data will becombined into a series.




23


Documents

TIBCO LogLogic Unity Tutorials · 2016. 2. 17. · 2 - 4 explained in the earlier steps 16.Create Rule 2. a) In the Parsing rules panel, click Add new rule to add a new parsing rule