Previous Topic: Select an Event for Summarization

Next Topic: Apply a Suppression or Summarization Rule

Configure a Summarization Display

Summarization rules control how native events are displayed in the refined event. You configure a summarization display by selecting Summarized by fields and Aggregated fields.

To configure a summarization rule display

  1. Open the summarization wizard and advance to the Summarization step.
  2. Select the field or fields you want the refined event to be summarized by, using the shuttle control:
    Summarized By

    Controls the field or fields by which the summarized information is grouped. For example, in the case of a rule summarizing failed logins, select source_username to display the number of qualified failed login events for each unique user. You must select one or more Summarized By fields to complete the rule.

  3. (Optional) Select the field or fields you want the refined event to be aggregated by:
    Aggregated

    Controls the field or fields by which the summarized information is subdivided, depending on the Summarized By field. For example, in the case of a rule summarizing failed logins, select source_username as a Summarized By field, and dest_hostname as an Aggregated field. This displays the number of qualified failed login events for each unique user, subdivided by the host that the user attempted to log into.

    The aggregated fields' information is retained in the summarized events' raw event field. In the preceding example each unique host on which the user attempted the log on will be stored along with the number of occurrences, in the following format: hostname1:2,hostname2:5. This example shows 2 logon attempts from host 1 and 5 attempts from host 2.

    Aggregated fields are optional - you do not have to select an Aggregated field to complete the rule.

  4. Click the appropriate arrow to advance to the wizard step you want to complete next, or click Save and Close.

    If you click Save and Close, the new rule appears in the list, otherwise the step you choose appears.

When you create a new rule, it is saved as version 1.0. If you later edit the rule, a separate copy of the rule is stored as a new version. You can view earlier versions, and apply or copy them as needed.

More information:

Set Summarization Thresholds