Video Screencast Help
Give us your opinion and win with Symantec! Please help us by taking this survey to tell us about your experience with Symantec Connect, so that we can continue to grow and improve.  Take the survey.

Ability to export daily event counts from SSIM

Created: 23 Jul 2013 | 1 comment

(FYI - using 4.7.4)

How can you achieve exporting a daily event count (possibly by product) from the SSIM in order to accumulate daily counts for overall metrics and event density trending?

My theory in building a metrics framework for "SSIM Correlation Efficiency" is to compare three sets of figures:

1. Total Daily Event Count

2. Total Daily "Associated" Event Count - Achieved via SQL query that counts all events by day in the "Associated Event" Table

3. Total Daily Incident Count - Achieved via SQL query to "Incident" table

This shows a comparison of all events received the SSIM, what percentage of those are correlated, and into what percentage of Incidents. Then, by comparing incident count to the number of Incidents that are actually acted upon or escalated on, it will show a moving average of proportion. Doing so "by Product" would be ideal, but for now, I just want it to work at all.

In order to accomplish this, I need a way to just get a count of EVERY EVENT and I don't want to have to run a Top N search and transcribe the count from there for every single day. That would be a nightmare...

Anyone have advice?

Operating Systems:

Comments 1 CommentJump to latest comment

wste's picture

JH - I've been wanting to do similar trend reporting for a while, at least as far as doing some trending on events, but haven't found a way to do this with the SSIM reporting engine.  The best option I've found so far is with the command line simsar tool (https://www.symantec.com/business/support/index?page=content&id=TECH85747) combined with advanced data analytics tools (aka. awk + grep + sort + uniq on the Linux side, Excel on the Windows side).  I think this will only get you event data though, not incident data.  You could possibly also use the API to work with both events and incidents, but again that's probably more complicated than it should be given that it would be nice if SSIM could do more advanced trend analysis.

Do please let us know here if you come up with a solution.

-w