Chat now with support
Chat with Support

InTrust 11.4.1 - Reporting on Events Using Repository Viewer

Reporting on Events Using Repository Viewer

In addition to interactive work, Repository Viewer can be used for running scheduled reports based on repository contents. Scheduled reports are essentially searches that have been configured in advance and run automatically at regular intervals.

Therefore, the same considerations mostly apply to scheduled reports as to regular searches (see Searching for Events in Repository Viewer for details).

Scheduled reports work only on production repositories, not on idle repositories. For details about the difference between them, see Repository Connections.

Caution:

At this time, to set a schedule, you need to start with a custom search. You cannot schedule a report based on repository tree browsing results or a predefined search. If you want a scheduled report based on a predefined search or your current event view configuration, first save the settings using the Copy To or Save As button in the results pane. For details, see the Predefined Searches topic.

To configure a scheduled report

  1. Select the custom search you need in the treeview and click Report | Schedule Report in the results pane.
  2. On the first step of the wizard that opens, specify the time range that the report should cover.
    If you are setting up a report with the most recent events going back a specific time period, it is important to pick the right keyword:
    • Use Last to specify a period that starts with the beginning of a complete time unit and ends with the end of a complete time unit. For example, a report with a "last 7 days" time range that runs early on Monday will contain events from 12:00 AM the previous Monday to 23:59 PM on Sunday. The Last keyword is recommended for reports that run regularly, because it helps make sure that no results are lost between consecutive report runs.
      IMPORTANT: If you use the Last keyword, you should always set the schedule time around half-past some hour instead of exactly some hour (for example, 12:30 instead of 12:00). This will help avoid situations where the report fails to include events that occurred in the last few minutes of that hour. To change the time, type over the default hours and minutes values.
    • Use This to specify a period up to the time the report generation begins. This is the same behavior as during searches, but the option should be used with caution for reports. There is no telling when exactly the report will really start building—it may be minutes after the time specified by the schedule. Therefore, the This keyword is not recommended for reports that run regularly, because there might be gaps in event continuity from report to report.
    • The Before and Between keywords do not make much sense in a report. They are best used for one-off searches that you can export to files.

  1. Specify the type of report that you want. Depending on the layout in the event grid, you may have a choice of presentation. The Table type is always available and has the same layout as the grid. The Pie Chart and Column Graph types are available only if data in the grid is grouped by exactly one field.

Note: The Pie Chart or Column Graph choice is selected automatically if you have clicked Report | Schedule Report on the Pie Chart or Column Graph tab in the results pane, respectively.

  1. Specify the desired file format and the delivery method for the report: whether to send it by email, save it in a network share, or both.

Notes:

  • Not all formats are available for all report types. For example, a pie chart cannot be saved to CSV.
  • If you select the CSV format, grouping and sorting settings will be ignored. Your report will contain a plain table of events sorted by time in descending order.
  • CSV has no limits on the number of included events. For the PDF format, the number of entries is capped at one million.

If you select to send the reports as email attachments, note the following:

  • You can change SMTP settings for email delivery under the list of recipients.
  • Consider setting the maximum attachment size to avoid putting unnecessary load on the SMTP server.
  • If you expect the report files to be large, consider using both delivery methods instead of just email.
  • In the event of email delivery failure due to an exceeded maximum attachment size, the specified recipients get a notification message about this.
  • The report recipients you specify will get not only the resulting reports, but also any messages about possible reporting failures.
  1. Set the schedule for the regular report runs. You can specify a very precise pattern. Note that if a lot of reports happen to be scheduled for the same time, they are queued to run one after another, and the start of your report run may be delayed.
    If necessary, change the InTrust server that will run the report in the Server drop-down list. Report generation is resource-intensive, and this option can help distribute the server load evenly.
  2. Review the resulting configuration and complete the wizard. On the final step, you can select to run the report immediately after you click OK.

Tracking Report Progress and Running Manually

Searches that are scheduled on the currently selected repository or repositories have the icons of their respective report types: table, column graph or pie chart. For searches that are not scheduled at all or are scheduled on other repositories in the organization, magnifying glass icons are shown.

To view a list of the reports that are currently scheduled, select the Scheduled Report Status node in the navigation treeview. For each report, the last known status is shown in the details pane; it can be one of the following:

  • Scheduled
    The report has never been run.
  • Running
  • Succeeded
  • Failed

To view existing scheduled reports for more than just the currently selected repository or repositories, select the Show reporting sessions for all repositories in the organization option.

You can run any idle report in this list by right-clicking the report and selecting Run. To stop a running report, right-click it in the list and select Stop.

Note: An InTrust server can run no more than two reports at once. If more reports have overlapping schedules, they are queued.

Just like elsewhere in Repository Viewer, you can group the results in the details pane by dragging table column names to the grouping area.

Reconfiguring and Disabling Reports

Each custom search has individual reporting settings. If you want to make changes to your reports, consider the following:

  • To change the result-related options, such as the report layout or filter settings, modify the search itself. This will affect all subsequent scheduled runs.
  • To change the schedule, select the search you want and click Report | Schedule Report in the results pane. This will affect the schedule of that particular search.

To disable a schedule, select the search you want and click Report | Remove Schedule in the results pane. If you do this while a report is being generated, it will be completed, and the subsequent runs will be canceled.

Self Service Tools
Knowledge Base
Notifications & Alerts
Product Support
Software Downloads
Technical Documentation
User Forums
Video Tutorials
What's New
Contact Us
Licensing Assistance
Technical Support
View All
Related Documents