Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

approach to automating health checks in EV - how to confirm specific items are journaled

Created: 28 Apr 2014 | 2 comments

Hi

EV 9.0.2 and EV 10 environments.

Have a requirement where I want to automate some EV health checks.

We have many different feeds going into EV - journaled emails, IMs, chats, etc.

I want to set up an automated health check to ensure the items we expect to be journaled in a specific date range are being journaled.

e.g. for IMs, check for subject "Conversation with XXXXXX" between X date and Y date

I understand I can't query the EV database because it doesn't contain subject metadata, that is stored in indexes.

So I was thinking of using the EV search.asp page to achieve this goal.

i.e. use curl.exe or wget.exe to download a URL like:

http://dummy/EnterpriseVault/search.asp?volset=6271&sid=&option=&subject=&author=firstname_lastname&recipienttype=&recipientmatch=0&recipient=&toplevelselected=0&subfolders=0&otherresultattrs=&anumfrom=&custval=&retentioncategory=&folderpvids=&wholemsg=1&sizeto=&vaultid=1B12861C18E81BC4DAF1E6A2602E0ECBF1110000vaultamericas&content=&textmatch=0&text=&subjectmatch=0&authormatch=3&contentmatch=0&originallocation=&custname=&rankby=&createddatefrom=3%2F25%2F2013&createddateto=3%2F25%2F2014&snumfrom=&expireddatefrom=&expireddateto=&snumto=&othernumname=&othernumfrom=&othernumto=&documenttype=&anumto=&natcfrom=&allfieldsmatch=0&allfields=&sizefrom=&resultsetsize=500&resultsetbrevity=2&natcto=&otherdatename=&otherdatefrom=&otherdateto=

 and then parse the output to confirm the expected data is there.

That approach will work, but our journal indexes contain many volume sets and you have to manually select the date range from the pull down list. While I can pull volume sets (index ID) via this query:

USE EnterpriseVaultDirectory
SELECT A.ArchiveName "Archive Name",
       IV.IndexVolumeIdentity "Index ID",
       IV.FolderName "Index Folder",
       IV.OldestItemDateUTC "Oldest Sent Item",
       IV.YoungestItemDateUTC "Newest Sent Item",
       IV.OldestArchivedDateUTC "Item First Archived On",
       IV.YoungestArchivedDateUTC "Item Last Archived On",
       IV.IndexedItems "Item Count"
FROM   Archive A, Root R, IndexVolume IV
WHERE  IV.RootIdentity = R.RootIdentity
  AND  R.RootIdentity = A.RootIdentity
ORDER BY A.ArchiveName, IV.IndexVolumeIdentity

and then pass the correct one via the URL, that's a bit of a pain.

I understand per http://www.symantec.com/business/support/index?page=content&id=TECH54559 that I can set UseFederatedSearch in webapp.ini  - does this mean there will be no more pull down containing the volume sets? Does this place extra load on EV when searching if I still specify exact dates via the URL? I was thinking of doing this on one EV server only and then locking down that search page so end users can't use it.

Any ideas welcome!

Operating Systems:

Comments 2 CommentsJump to latest comment

GabeV's picture

Hi goatboy,

As a suggestion, you should not use the EV search.asp web page to search against a journal archive since it can generate a timeout error from the IIS server. Have you considered using Discovery Accelarator? DA is design to perform complex searches that involves one or several archives with million of items archived.

Also, you have EVOM or the SCOM package available to monitor the Enterprise Vault servers as well. Take a look at this technote:

Advanced Strategies for Monitoring Enterprise Vault
http://www.symantec.com/docs/HOWTO74545

I hope this helps.

“Success is not final, failure is not fatal: it is the courage to continue that counts.”–Winston Churchill

goatboy's picture

Thanks Gabe,

We currently use DA to do these searches and that works fine, but I am trying to automate the process.

Thinking about it, I could try the following:

1. Set up scheduled searches in DA with the specific queries (e.g. Subject with XXXXXX)

2. Set up SQL queries to look at the results of those searches and a mechanism to alert when, for example, no results are found

This approach sounds OK, the only downside is that I don't want to have these scheduled searches accepted and increase the DA database size, so I will still need manual intervention to reject these results. Unless I can do that in SQL?

I did like this approach:

"SQL Statement to List Youngest (Newest) Indexed Item per Archive" from the Advanced Strategies link you provided. This would work well, except that I would need different journal archives for every single feed we have going into EV, which is a bit of a hassle.

thanks.