Build Rule ViewBuild Rule View
The Build Rule view explains the actions and associated procedures that you can perform under Rules.
This workflow shows the procedure to create or deploy a rule.
What do you want to do?
|Role||I want to ...||Show me how|
|Administrator / Analyst||
Configure Reporting Engine
For more information, see "Step 3: Configure Reporting Engine Data Sources" topic in the Reporting Engine Configuration Guide
|Administrator / Analyst||Create a List or List Group/Create or Deploy a Rule/Test a Rule*||Configure a Rule|
Administrator / Analyst
Create and Schedule a Report
|Administrator / Analyst||View a report or list of all reports||View a Report|
|Administrator / Analyst||Investigate a Report||Investigate a Report|
|Administrator / Analyst||Manage/Access Control for lists, Rules or Reports||Manage Lists, Rules or Reports|
*You can complete these tasks here.
To access the Build Rule view:
- Go to Reports.
The Manage tab is displayed.
- In the Rules toolbar, click > NetWitness Platform DB.
The Build Rule view tab is displayed
The Build Rule view includes the following panels.
The Rule panel allows you to create a rule for the selected database type.
The following figure shows the Rule panel.
The following table describes the features in the Rule panel.
|Rule Type||A drop-down list of supported database types for which you can create rules. The options are: NetWitness DB and Warehouse DB.|
|Name||The name of the rule that you are creating or editing.|
|Summarize||A drop-down list of summarize options. The options are: None, Event Count, Packet Count, Session Count and Custom.|
|Select||The meta key for which you need the aggregate values; for example, ip.dest.|
|Where||A Where clause that defines the conditions that trigger the rule execution; for example, ip.dest = 127.0.0.1.|
|Group By||The grouping method for the results. For example, specifying ip.dest produces a report in which like ip.dest values are grouped.|
|Then||A Then clause that defines the rule actions for additional processing on the output.|
|Order By||The sequencing method used to show results. For example, specifying Order By the value in the Total column, Ascending, produces a report in which the results are sorted in ascending order based on the value in the Total column.|
|Session Threshold||A selection list for the session threshold, which specifies maximum number of sessions that should be processed for aggregate functions.|
|Limit||A selection list for the maximum number of result rows to be fetched.|
|Use||Clicking Use enables you to use the Rule to generate a Report, Alert of Chart.|
|Save||Clicking Save saves the rule that you are editing and the Build Rule panel remains open. Before testing a rule, you must save it if you want to keep your changes.|
|Reset||Clicking Reset clears all the field information .|
Clicking test rule opens the Test Rule dialog.
Test Rule Dialog
To access the Test Rule view:
Go to Reports.
The Manage tab is displayed.
In the Rules panel, do one of the following:
- Select a rule and click in the Rules toolbar.
Click > Edit.
The Build Rule view tab is displayed.
Click Test Rule.
The Test Rule view is displayed.
The following table describes the features in the Test Rule Dialog.
|Data Source||A drop-down list of data sources for the type of rule you are testing. Possible data sources are: Concentrator, Broker, Decoder or Log Decoder.|
|Format||A drop-down list of the formats for displaying results for the rule. Possible formats are: Tabular, Area, Bar, Bubble, Column, Line, Pie, Step Line, Step Area, Spline Area, and Spline.|
A drop-down list of time range specification methods.
In the user interface, the date or time displayed depends on the time zone profile selected by the user.
|Use relative time calculation||Selecting this option calculates the time range relative to the current time.|
X-Axis and Y-Axis specify the metadata to be plotted in charts.
In the Y-Axis drop-down list, the aggregate functions used in the rule are listed. Sum, Count, Countdistinct and Average are the supported aggregate functions for rules.
|Run Test||Clicking Run Test executes a test of the rule last saved in the Rule Builder dialog. When the test is complete, the rule data (if any) for the selected time range is displayed.|
The Meta panel provides a list of available meta types that you can use to build the rule. You can use the meta types in the Select, Where, and Then clauses. The Reporting Engine maintains an active list of the available meta names by continuously synchronizing with the data source to which it is connected.
The following figure displays the Meta panel.
The following table describes the features in the Meta panel.
|Choose||Based on the rule type that you have selected, the available data sources are displayed in the drop-down list of the Meta panel. Select the required data source. The available meta types for the data source are displayed. Select a meta.|
|Filter||Filter the meta for a specific meta value.|
A List is a placeholder for a set of values that you can use in a meta or a variable. For example, you can define a list with all the whitelisted event source IP addresses. Once the List is defined then you can use the List name in the rule. This provides the flexibility of adding, modifying, and deleting the list values.
The Lists panel is a collection of Lists. The Reporting Engine maintains an active list of the available list names by continuously synchronizing with the collection to which it is connected.
The following figure displays the Lists panel.
The following table describes the features in the Lists panel.
|Import or Export a list.|
|Refresh the Lists.|
|If you select the NetWitness DB rule type, the options Where and Then are displayed. Insert the list in the Where or Then clause in the rule.|
|If you select the Warehouse DB rule type, the option Where is displayed. Insert the list in the Where clause in the rule.|