9. Reports

To add a new folder in an existing parent folder, first select the parent folder and then click the new folder button. To add a new folder at the top level, make sure that there is no selection in the reports browse pane, and then click the new folder button. The new folder button will be active only when a folder is selected or there is no selection.

To add a new report definition, first select the folder which will contain the new report definition, then click the new report button. The new report button will be active only when a folder is selected.

To copy report definition, first select the report definition that you want to copy, then click the copy report button. A copy of the report definition will be created in the same folder as the original report definition. You can use drag and drop to move the copied report definition to another folder. The copy report button will be active only when a report definition is selected.

To add a new report section, first select the report definition in which to add the new section, then click the new section button, and then select either HTML section, Query section, or Scripted query section. The new section button will be active only when a report definition is selected.

To copy a report section, first select the report section that you would like to copy, then click the copy section button. A copy of the report section will be created in the same report definition as the original report section. You can use drag and drop to move the copied report section to another report definition. The copy section button will be active only when a report definition is selected.

To delete a folder, report definition, or report section, first select the folder, report definition or report section, then click the delete button. The delete button will be active only when there is a selection. You can also delete the current selection by clicking with the right button and selecting Delete from the menu.

sFlowTrend-Pro allows you to import report definitions and export report definitions so that they can be imported into another sFlowTrend-Pro installation.

To import a report definition, click on the import button . This brings up a dialog which allows you to select a previously exported report definition and import it into sFlowTrend-Pro. The report definition will be imported into the Imported reports folder in the Reports tab.

To export a report definition, first select the report that you would like to export. Then click on the export button . The definition for the selected report will be downloaded to the web browser's download location. The exported report definition can then be transferred to another sFlowTrend-Pro installation or shared with other users. The export button will be active only when a report is selected. You can also export a selected report definition by clicking the right button and selecting Export.

Administrators can make changes to report definitions and how they are organized. To load changes that other administrative users have made click on the reload reports button.

You can change the name of a folder, report definition, or report section by clicking on the folder, report definition or report section. Or you can click with the right button on the current selection and select Edit name from the menu. You will be allowed to rename a folder, report definition or report section if you choose a name which is unique among siblings.

When you change the name of a folder, the folders in the parent folder will be resorted alphabetically. Similarly, when you change the name of a report definition, the reports within the folder will be resorted alphabetically.

The reports browse pane supports drag and drop. You can use drag and drop to move a folder to a different folder, move a report definition to a different folder, reorder sections within a report, or move a section to a different report. You will be allowed to move a folder, report definition or report section only if the move will not duplicate a name.

The table of data produced when a query is run can be displayed in a number of different formats. You can select the most appropriate format for your use of the data. Displaying the data in a Table gives the raw data from the query; use this if you need the actual numbers. For example, you might want to check on the absolute utilization of a link, or use the data in another application. Displaying the data in a Chart helps visualization of the results; use this if you want to compare different items quickly, for example, easily see the largest contributors to the utilization of a link. Another important difference between using a table and a chart is that a chart must have a value to plot. A table does not require a value, and so can be used to answer questions such as "which addresses were seen on a specific interface?".

In addition to choosing between a table and a chart, you can also decide whether to view the data as a total over the entire time period selected for the query, or as a trend of data over time. If you view the data as a total, then rows in the table represent data points for the whole time period. In this case, the interval from the time selector is ignored. If, however, you want to understand how a value changes over time, then you should select a trend. With a trend, each row in the table represents a data point for a period of time defined by the time selector interval.

If we use the Top Sources by frames query as an example, displaying the result of this query as a total will give the total frames sent by each of the top sources over the time period. Displaying the result as a trend will show how the number of frames sent by each of the top sources changed over time.

When a chart is used to display query results, the chart interprets results data using series, categories and values. sFlowTrend-Pro will choose the most appropriate fields to plot as categories and series based on the type of chart selected.

The display format information panel (see Section 9.1.5.2, “Editing a query using basic settings”) is useful in understanding how a query will be plotted. When a query is created in the basic or advanced settings tabs, then the categories, series and values that will be produced are shown. For time trend charts, since the categories are always time, this is assumed and not shown in the information panel. Similarly, for a totals chart, since the series are always generated from the values, the series are not shown. In the case of a table, the columns that will form the table are shown.

The following formats can be used to display the data:

The Basic settings tab helps you define and parameterize commonly used queries. These queries are very similar to those used in the Network tab (see Chapter 4, Network), Hosts tab (see Chapter 5, Hosts), and Services tab (see Chapter 6, Services).

To define a query using Basic settings, first decide whether you are interested in network traffic data (use the View selector to select Network), host performance data (use the View selector to select Host), or service performance data (use the View selector to select Service).

If the query is focused on network traffic data, you can select whether the query should extract data for the whole network or for an individual switch or interface. If the query should extract data for the whole network, use the Switch selector to select All switches. In this case, even if a traffic flow crossed multiple switches, the flow will only be counted once - ie the query de-duplicates the data. If the query should extract data about traffic crossing an individual switch and/or interface, use the Switch and Interface selectors to select the switch and interface of interest.

If the query is focused on host performance, you can select whether the query should extract data for all hosts or an individual host using the Host selector.

If the query is focused on service performance, you can select whether the query should extract data about all hosts or an individual host using the Host selector. You can use the Service selector to select the service of interest.

The next step is to use the Query selector to choose a predefined query; you can think of this as selecting the key fields for the columns in the query results. You can then use the Value selector to specify the value field column for the results. Note that the network Utilization and Counters predefined queries are only available when a single interface is selected using the Switch view and Interface view selectors.

The next step is to parameterize the query:

Once you have fully parameterized the query, you can select how you would like the results to be displayed using the Display results in selector to select a display format. When you select a display format, sFlowTrend-Pro helps you understand how the data produced by the query will be displayed. For example, if you select Bar chart (totals), the display format information panel will show which fields will be used for the categories (bars) and the value field used to determine the height of the bar.

The Advanced settings tab allows you to define your own queries by manually selecting the key fields and value fields that the query should extract data for.

To define a query using Advanced settings, first select the database table that query should access. sFlowTrend-Pro includes three database tables:

If you have selected Counters or Traffic database table, you can then decide whether the query should extract data for the whole network or for specific switches or a specific interface. If the query should extract data for the whole network, check the All switches check box. If the query is to extract data for specific switches, then make sure that the All switches check box is not checked, then select one or multiple switches from the list of switches being monitored. If the query should extract data about traffic crossing an individual interface, select the switch for the interface, then use the Interface selector to select the interface of interest. If the query is defined to have a view with multiple switches, if a traffic flow crossed multiple switches, the flow will only be counted once - ie the query de-duplicates the data.

If you have selected the Host counters database table, you can then decide whether the query should extract data for all hosts or for specific hosts. If the query should extract data for all hosts, check the All hosts check box. If the query is to extract data for specific hosts, then make sure that the All hosts check box is not checked, then select one or multiple hosts from the list of hosts being monitored.

If you have selected the Service counters or Services database table, you can then decide whether the query should extract data for all hosts or for specific hosts. If the query should extract data for all hosts, check the All hosts check box. If the query is to extract data for specific hosts, then make sure that the All hosts check box is not checked, then select one or multiple hosts from the list of hosts being monitored. If the query should extract data about a specific service, then use the Service selector to select the service of interest.

The next step is to specify the fields for which the query should extract data for. The Select query fields panel allows you to select fields from those available for the selected database. The available fields are shown in the Available fields list, with the value fields listed in italic. If you want to display the results of the query in a chart, you must select at least one value field. The Available fields list includes a type in text field that allows you to filter the available fields for fields whose names match the typed in text. For example, if you have selected the Traffic database, you can type addr into the type in field to see only those fields which include addr in their names.

The Allow nulls in keys checkbox allows you to specify whether the query results can include flows with keys whose values are null. For example if you create a query with macSource, ipSource and framesTotal fields and check Allow nulls in keys, the query results can include layer 2 only flows (eg layer 2 broadcasts, ARP). If you do not check Allow nulls in keys, then the query results will only include flows that have both a MAC layer and an IP layer.

You can also specify functions of fields. Functions are described at Section 16.4, “Database functions”. Click the Function button to show a dialog that helps you build a function. Some functions may not be relevant for the selected database.

If you have selected at least one value field, you will have the option of selecting whether the query results should be sorted and which value the results should be sorted on. You can also specify the Top N, which will cause the query results to show only the top n entries when sorting on the specified value. You can also choose to see all the results by checking the Include all checkbox, this is only sensible if you choose to display the query results in a table.

As with the Basic settings, you can parameterize the query further by selecting a time period for which data should be extracted (see Chapter 10, Selecting a time period ) and a filter to select traffic that meets certain attributes (see Chapter 11, Filtering).

The final step is to select the output format for the query results using the Display results in selector. Select a table or chart appropriate to the report you are creating.

The Category or series format field can be used to improve the formatting of a chart. This can be set to a string, using the syntax of the Java Formatter class. Depending on the chart selected, a list of fields are used for the categories or series in the chart. The format string can combine the members of the list into a more human-readable form. Each item in the list of categories or series can be referenced in the format string using %i$s, where i is the i^th member of the list. For example, if the series list is agent, ifIndex (as in the example), and a format string %1$s>%2$s is used, then the series will be named agent>ifIndex. If a format is not specified, then the series will be named using a comma separated list (agent, ifIndex in the example).

It can be quite complicated to create a format string. The basic approach is to consider that each item in the series or category list will always be a string, and can be referenced using %1$s, %2$s, etc. Other characters can then be used to combine these together in a meaningful way (in the example above, the '>' character is used to separate the agent from the ifIndex).

The Scripted settings tab allows you to define your own queries by manually specifying the key fields and value fields that the query should extract data for. Using a scripted query allows complete flexibility in the queries that can be run and charts generated. It is also possible to use the same set of data to create multiple output images in the report, for example a chart and a table of results. This technique can make reports faster to run with slow queries, since the query only has to be executed once. Scripted queries are written using the JavaScript language. This document does not describe the JavaScript language, however there are many good books and web sites on this topic. The user contributions area at the InMon Corp customer portal (https://www.myinmon.com) can also be used for sharing example reports with other users.

The Scripted settings tab is divided into two areas: variable definitions and the script editor.

Variable definitions allow a query to be parameterized (run with different settings) without editing the script itself. Instead, a variable definition is changed. This mechanism is used by the basic and advanced query editors to specify the various parameters of a query. If you view a basic query within the scripted query editor (by selecting the Scripted settings tab, you can see the variables used. Variables can be changed by editing the name of the variable, or the value, within the table. A variable can be deleted by clicking , and new variables added as required. Any variables defined here can be accessed from the report script as properties of the reportVars object.

The script editor is how the actual report script is entered. The script should be written in standard JavaScript, which can also include special classes defined by sFlowTrend-Pro. The normal flow of a report is to define the query required, to run the query to obtain a table of results, and finally to visualize the results using a chart or a table. A simple example of top sources is shown below:

var query = new Query("flows", "",
                      'timestamp("Timestamp", time), sourceAddress,\
                       resolve("Source name", sourceAddress), rate(framesTotal)',
                      "", "lastHour", 1, "rate(framesTotal)", true, false, 5);
var result = query.run();
report.timeChart("lineChart", result, "sourceAddress, resolve(sourceAddress)",
                 "%1$s(%2$s", "rate(framesTotal)");                   
                    

Note that you have to take care with the use of single and double quotes, and use the line continuation character \ to concatenate long strings which cover multiple lines together. In particular, any quotes that appear within database functions must be double quotes (in the example above, we have used single quotes for the select string, to make it easier to then use double quotes within the functions).

You can refer to Section 16.5, “Classes and objects defined within scripted reports” for the reference of additional objects and classes defined within JavaScript to allow reports to be generated. Section 16.2, “Database fields reference” is the reference of fields available from the database, and Section 16.4, “Database functions” for the database functions that are available.