Working with the Report Server
This section contains information on AccelOps Report Server architecture, viewing and querying CMDB and Event data in contained in the Report Server databases, and database maintenance.
Report Server Architecture: phoenixdb and reportdb
Working with CMDB Data in AccelOps Report Server
Viewing phoenixdb Organization
Querying Incident Data in AccelOps Report Server
Reference: Attribute Columns in the ph_incident_view Table
Sample Incident Queries
Querying Other CMDB Tables in AccelOps Report Server
Querying Device Vendor and Model Distribution for Discovered Devices Querying Discovered Devices
Working with Event Data in AccelOps Report Server
Viewing reportdb Organization
Syncing an AccelOps Report with Report Server
Deleting a Report from AccelOps Report Server
Modifying an Existing Report in AccelOps Report Server
Report Server Architecture: phoenixdb and reportdb
AccelOps Report Server contains two databases:
phoenixdb
This database contains the entire AccelOps CMDB and is populated via asynchronous PostgreSQL replication (slony) in near-real time.
reportdb
This database contains the results of event queries.
Topics in this section describe how to view the tables in these databases, and how those tables are organized. For viewing the tables, we recommend using the pgAdmin PostgreSQL database utility, which you can download from the pgAdmin website.
Working with CMDB Data in AccelOps Report Server
Data from the AccelOps CMDB database is populated to the AccelOps Report Server and stored in the Report Server phoenixdb. This section contains information on how to view the organization of phoenixdb, and write queries against the data it contains.
Viewing phoenixdb Organization
Querying Incident Data in AccelOps Report Server
Reference: Attribute Columns in the ph_incident_view Table Sample Incident Queries
Querying Other CMDB Tables in AccelOps Report Server
Querying Device Vendor and Model Distribution for Discovered Devices Querying Discovered Devices
Viewing phoenixdb Organization
This database contains the contents of the entire AccelOps CMDB database, including incidents.
- In the pgAdmin utility, go to File > Add Server.
- In the New Server Registration dialog, enter connection details for AccelOps Report Server.
For Maintenance DB, select phoenixdb.
For Username and Password, use the read-only user name and password that you created when you provisioned the Report Server.
- Click OK.
When the connection to the AccelOps Report Server is established, phoenixdb will load in the Object browser. There are approximately
197 tables in phoenixdb, which are replicated from the AccelOps cluster.
- Select a table to view, then right-click to open the Options
- In the Options menu, select View Data, and then select an option for which rows you want to view.
For example, to view the contents of the ph_device table, which contains CMDB information about discovered devices, you would select and then right click on ph_device, then select View Data > View All Rows.
You can also use this method to examine Views and other objects in the phoenixdb database.
Querying Incident Data in AccelOps Report Server
There are two ways to look at the incident data inside AccelOps Report Server:
Incident Tables (ph_incident and ph_incident_detail)
Contains the incidents
Incident View (ph_incident_view)
This is a database view that adds other context to the incident tables by joining with other tables in the database. Added information includes location and business service. Some information is parsed out for easier query, such as host names and IP address fields from incident_source, and incident_target fields in ph_incident are parsed out as separate fields in ph_incident_view.
This topic describes how to view the data contained in Incident View.
- Follow the instructions in Viewing phoenixdb Organization to access the phoenixdb database in AccelOps Report Server.
- Go to Views > ph_incident_view > Columns to view the table columns.
- Go to Views > ph_incident_view > View Data > View Last 100 Rows to view the incidents.
Reference: Attribute Columns in the ph_incident_view Table
Column Name | Format | Description |
incident_id | integer | Unique id for an incident |
cust_org_id | integer | Customer Id (for AO-SP) |
first_seen_time | integer | The time when the incident was first seen. The format is UNIX time but with milliseconds granularity. It is defined as the number of milliseconds that have elapsed since 00:00:00 Coordinated Universal Time |
last_seen_time | integer | The time when the incident was last seen. The format is UNIX time but with milliseconds granularity. It is defined as the number of milliseconds that have elapsed since 00:00:00 Coordinated Universal Time (UTC), Thursday, 1 January 1970 |
incident_et | string | Incident event type id e.g. PH_RULE_SERVER_HW_CRITICAL |
incident_status | integer | 0: Active 1: Auto Cleared 2: Manually Cleared 3: System Cleared |
incident_count | integer | The number of times this exact incident (with the same parameters: source, destination etc has happened) |
biz_name | string | Associated business service name |
severity | integer | Numerical severity of the incident – range 0-10 |
severity_cat | string | Incident severity category: 0-4: LOW, 5-8: MEDIUM and 9-10: HIGH |
orig_device_ip | string | IP address of the device that reported the incident |
ph_incident_category | string | Category of infrastructure affected by this incident: possible valies: Network, Server, Storage, Virtualization, Application, Internal |
incident_src | string | Incident Source string formatted as a list of <Attribute>:Value; e.g.
srcIpAddr:10.1.1.1,srcName:JoeLaptop |
src_ip_addr | string | Source IP parsed out from incident_src field |
src_name | string | Source Name parsed out from incident_src field |
src_device_location | string | (Geo) Location display name string for the object specified in incident_src |
src_country | string | (Geo) Country name string for the object specified in incident_src |
src_state | string | (Geo) State name for the object specified in incident_src |
src_building | string | (Geo) Building name for the object specified in incident_src |
src_floor | string | (Geo) Floor for the object specified in incident_src |
src_latitude | double | (Geo) Latitude for the object specified in incident_src |
src_longitude | double | (Geo) Latitude for the object specified in incident_src |
incident_target | string | Incident Destination string formatted as a list of <Attribute>:Value; e.g.
“destIpAddr:10.1.1.1,destName:JoeLaptop” or “hostIpAddr:10.1.1.1,hostName:JoeLaptop” |
dest_ip_addr | string | Destination IP parsed out from incident_target field |
dest_name | string | Destination Name parsed out from incident_target field |
dest_device_location | string | (Geo) Location display name string for the object specified in incident_target |
dest_country | string | (Geo) Country name string for the object specified in incident_target |
dest_state | string | (Geo) State name for the object specified in incident_target |
dest_building | string | (Geo) Building name for the object specified in incident_target |
dest_floor | string | (Geo) Floor for the object specified in incident_target |
dest_latitude | double | (Geo) Latitude for the object specified in incident_target |
dest_longitude | double | (Geo) Longitude for the object specified in incident_target |
host_ip_addr | string | Host IP address parsed out from incident_target field |
host_name | string | Host Name parsed out from incident_target field |
host_device_location | string | (Geo) Location display name string for the object specified in incident_target – populated if incident_target contains hostIpAddr |
host_country | string | (Geo) Country name string for the object specified in incident_target – populated if incident_target contains hostIpAddr |
host_state | string | (Geo) State name for the object specified in incident_target – populated if incident_target contains hostIpAddr |
host_building | string | (Geo) Building name for the object specified in incident_target – populated if incident_target contains hostIpAddr |
host_floor | string | (Geo) Floor for the object specified in incident_target – populated if incident_target contains hostIpAddr |
host_latitude | double | (Geo) Latitude for the object specified in incident_target – populated if incident_target contains hostIpAddr |
host_longitude | double | (Geo) Longitude for the object specified in incident_target – populated if incident_target contains hostIpAddr |
vm_name | string | VM Name if incident involves a Virtual machine – populated if incident_target contains vmName |
user_attr | string | User name if incident involves user, i.e. incident_target contains user |
target_user_attr | string | Target user name if incident involves user, i.e. incident_target contains targetUser |
ldap_domain | string | Domain if incident involves user, i.e. incident_target contains domain |
computer | string | Computer name incident_target contains computer |
target_computer | string | Target Computer name incident_target contains targetComputer |
incident_details | string | Incident Details containing evidence on why the incident triggered e.g. Triggered Event Count = 90 or AVG(CPUUtil) = 90 etc |
Sample Incident Queries
Show Incident Categories with Severity and Frequency Occurrence Show Incident Location
Show Incident Categories with Severity and Frequency Occurrence
This query will show which parts of the infrastructure are triggering events.
- Follow the instructions in Viewing phoenixdb Organization to access the phoenixdb in AccelOps Report Server.
- Under Views, select ph_incident_view.
- In pgAdmin, click on the SQL icon in the menu bar to open the SQL query window.
- Enter this SQL query:
SELECTph_incident category, incident_et, severity_cat, src_ip_addr, host_name, FROMph_incident_view
GROUPBYph_incident category, incident_et, severity_cat, src_ip_addr, host_name ORDERBYCOUNT(*) DESC; |
COUNT(*)
- When the query executes, you will see a list of matching incidents in the Output Pane. Show Incident Location
- Follow the instructions in Viewing phoenixdb Organization to access the phoenixdb in Accelops Report Server.
- Under Views, select ph_incident_view.
- In pgAdmin, click on the SQL icon in the menu bar to open the SQL query window.
- Enter this SQL query:
COUNT(*)
SELECT host_device_location, severity_cat, ph_incident_category, FROM ph_incident_view
GROUP BY host_device_location, ph_incident_category, severity_cat ORDER BY host_device_location ASC, severity_cat ASC COUNT |
(*) DESC;
- When the query executes, you will see a list of incidents and their locations in the Output Pane.
Querying Other CMDB Tables in AccelOps Report Server
Querying Device Vendor and Model Distribution for Discovered Devices Querying Discovered Devices
Querying Device Vendor and Model Distribution for Discovered Devices
Querying Discovered Devices
Working with Event Data in AccelOps Report Server
Data from the AccelOps EventDB database is populated to the AccelOps Report Server and stored in the Report Server reportdb. This section contains information on how to view the organization of reportdb, and write queries against the data it contains.
Viewing reportdb Organization
Syncing an AccelOps Report with Report Server
Deleting a Report from AccelOps Report Server
Modifying an Existing Report in AccelOps Report Server
Viewing reportdb Organization
This database contains the reports that are synched from the AccelOps cluster.
- In the pgAdmin utility, go to File > Add Server.
- In the New Server Registration dialog, enter connection details for AccelOps Report Server.
For Maintenance DB, select reportdb.
For the Port enter 30000 (default port used for the reported).
For Username and Password, use the read-only user name and password that you created when you provisioned the Report Server.
- Click OK.
When the connection to the Report Server is established, reports will load in the Object browser.
- Select a table to view, then right-click to open the Options
- In the Options menu, select View Data, and then select an option for which rows you want to view.
Syncing an AccelOps Report with Report Server
- Log in to AccelOps.
- Go to Analytics > Reports.
- Select a report.
Any reports with a Sync checkbox can be synced. Run the report to make sure it contains some data.
- For each report you want to sync, select the Sync
- Click OK.
- After several minutes, follow the instructions in Viewing reportdb Organization to view the reportdb database.
- Under Tables, you should now see the synced reports.
Table Structure for Synced Reports
When you sync an AccelOps report to AccelOps Report Server, two pairs of tables are created in reportdb, one pair for each organization in the case of AO-SP. For each organization, multiple tables are created:
- A parent table containing data for all months: the table name is of the form <Report Name>_<ID>_<custId>
- A child table for the current month: <Report Name>_<ID>_<custId>_<yYYYYmMM> where YYYY is the year and MM is the month.
Queries should be written using the parent table. To see data in the parent table, follow the instructions in Viewing reportdb Organization . The re portdb database fields are generated from the display fields in AccelOps report definitions. Only the field report_time is added to the Report Server table definitions to capture the time when the particular report is generated. For example, if you synced the report Network Devices by CPU, Memory, you would see these fields:
Field | Description |
report_time | UNIX time at which the report is generated. Unix time (or POSIX time or Epoch time) is a system for describing instants in time, defined as the number of seconds that have elapsed since 00:00:00 Coordinated Universal Time (UTC), Thursday, 1 January 1970 not counting leap seconds. |
hostName | Host Name of the device for which CPU and memory are being measured |
hostIpAddr | Access IP of the device for which CPU and memory are being measured |
AVG(cpuUtil) | Average of all the CPU utilization metrics within the last 5 minutes ending with report_time |
AVG(memUtil) | Average of all the CPU utilization metrics within the last 5 minutes ending with report_time |
Deleting a Report from AccelOps Report Server
- Log in to AccelOps.
- In Analytics > Reports > Synced Reports, select the report you want to delete.
- In the Sync Details dialog, clear the Sync option for the report, and then click OK.
The report will no longer be synced with Report Server. You can verify this by making sure the Sync option is not selected for the report on the Analytics > Reports > Synced Reports page. You can now delete the report from AccelOps Report Server.
- Log in to AccelOps Report Server via SSH and navigate to the directory /opt/phoenix/deployment/jumpbox.
- Run the py command, along with the table name and date as arguments, to delete the report.
- After you have deleted the table containing the report information, you will need to delete the parent table, which will now be empty of content, using the same py command.
Modifying an Existing Report in AccelOps Report Server
Suppose a system report is synced and exported to AccelOps Report Server. When you modify that report in AccelOps, you must rename it, at which point it becomes a user report. When you then sync that report for Accelops Report Server, a new table is created on the AccelOps Report Server.
Suppose now that you have a user-defined report that is already synced to the AccelOps Report Server, but you modify it inline in AccelOps, which means that you have changed the report conditions without changing the report name. This will cause a change in the table, but a new table will not be created. Here are some examples of inline modifications, and how they affect the structure of the table as well as the data collected in the table:
Modification | Effect |
GROUP BY field added | The corresponding table has the new GROUP BY field, but only newer data populates the field |
GROUP BY field removed | There is no change in the corresponding table, and newer data does not populate the field |
GROUP BY field changed | For example, the field srclpAddr is changed to destlpAddr. Both fields are retained, but newer data populates d estlpAddr. |
Aggregated fields added | The corresponding table has the new field, but only newer data populate that field |
Aggregated field removed | There is no change in the corresponding table, and newer data does not populate the field |
Aggregated Field
Changed |
For example, AVG(cpUutil) is changed to MAX(cpuUtil). Both fields are retained, but newer data populates MA X(cpuUtil). |