TIBCO LogLogic® Log Management Intelligence (LMI) Data Source for TIBCO Spotfire®

The TIBCO LogLogic® Log Management Intelligence (LMI) Data Source for TIBCO Spotfire® software creates a new data source type that connects to an LogLogic® LMI instance.

Compatible Products

TIBCO Spotfire® TIBCO LogLogic®

Supported Versions

TIBCO LogLogic® Log Management Intelligence 6.2.0 and above
TIBCO Spotfire® 10.3, TIBCO Spotfire® 7.11

License

BSD

Overview

The TIBCO LogLogic® Log Management Intelligence (LMI)  Data Source for TIBCO Spotfire® integrates LogLogic data with Spotfire to help create advanced visualizations. .

There are currently no reviews for this content.

Why not be the first to review it - click here to login

TIBCO LogLogic® Log Management Intelligence (LMI) Data Source for TIBCO Spotfire® Community Wiki


Back to HomePage


TIBCO LogLogic® provides the industry's first enterprise-class, end-to-end log management solution. Using LogLogic log management solutions, IT organizations can analyze and archive network log data for the purpose of compliance and legal protection, decision support for network security remediation, and increased network performance and improved availability.


This article explains how to integrate LogLogic data into TIBCO Spotfire® for advanced visualizations.

Pre-requisites

TIBCO Spotfire® 7.11 or TIBCO Spotfire® X (10.3.0)

TIBCO LogLogic® Log Management Intelligence 6.2.0 and above

You need a user administrative access on the Spotfire Server to install the package.

Note: LogLogic LMI 'bloks' are not supported with this data source.

Getting the package

The package is distributed together with its sources on GitHub. You can access the package at this URL: https://github.com/TIBCOSoftware/lmi-spotfire-ds/releases

Download the LmiDataSource.sdn file.

Installing the package on Spotfire Server

Log into the Spotfire Server Web portal and click on “Deployments and Packages”.

Then click on the “Add Package” button

Then select the location of the “LmiDataSource.sdn” file and click the “upload button”

Then, in the list of software packages locate the three new packages as below:

Then click the “Save Area” button, fill in Version and Description, and click the “Force client update” checkbox. This will make sure the Spotfire Analyst client will be updated at next connection to include the new Data Source. Then validate by clicking on the “Save Area” button.

Note: When launching Spotfire Analyst for the first time, you have to accept the use of the new non-signed packages that have been added.

Installing the package on Spotfire Web Player instance/s

Go in the Spotfire Server Web portal and click on “Nodes and Services”. Click on the Spotfire Service of a given node. A label in amber should warn you about the existence of an update for this service.

When scrolling down in the list of packages, there should be two lines mentioning the new packages to be added. Click on the “Update Service” button.

Give the service a few minutes to be updated and restarted.

Using the LMI Data Source for Spotfire in Spotfire Analyst

The "hello world"

To add a new LMI data source connected to an LMI appliance, use the blue + sign, then select “Other”, then “From LogLogic LMI advanced search”. A pop-up window appears, prompting you to add the elements of your search.

One first “hello world” example is to try to run a very simple query, that will work regardless of what your data types are on your LMI instance, as it will use the default 'system' data model.

First, fill-in the Host, User and Password fields.

Remark:

The Host should correspond to the name associated with the server certificate put on the LMI appliance. If this is not the case, you will have to accept the certificate manually, and such a connection will not work in the web player.

In the query box, type:

use system | sys_eventTime in -5m

Your query can be written in SQL or EQL. It must contain a filter on the 'sys_eventTime' column unless this is using an infrastructure data model that does not contain a sys_eventTime column.

If there are no errors, you will be prompted with a data input form that will let you add additional transformation or data source if you will.

Click the OK button when ready, data is then loaded into Spotfire Analyst’s memory. Depending on the volume of data this can take some time. At the end of import, you will get back to the usual Spotfire welcome screen presented for each new analysis. From that point onward you can interact with your data like with any data source, all computations are then done in memory.

To begin with, click on Start with data, then explore your result set and its possible visualizations.

Here is an example of what you can get with that sort of queries:

 

Using a pre-computed result set

You can retrieve results from an existing LMI search: this can be a tab opened in the LMI web UI, or a search ran through the REST API (does not work with searches that have forward-only mode enabled, or using the quick search API).

In the form, fill in host, user, and password, then click the radio button “use existing advanced search results”. You are then presented with a list of all the query strings that represent open searches, you can pick any one of them.

Let’s take an example where you have an LMI query tab opened with a search, like this:

This query is then displayed in the list of existing result sets, like this:

Because the query results are readily available, the time taken to get the results in Spotfire is considerably reduced.

Then you are in an environment which allows for richer interaction:

Running a correlation search query

As LMI “bloks” are not supported, a separate entry is provided in the form, to run a correlation search based query.

Let’s say we want to run the following correlation rule to detect possible occurrences of a brute force attack on windows server.

USE Microsoft_Windows WITHIN 5m
EVENT GROUP brute_force
AT LEAST 2 EVENTS
WHERE ll_eventAction = "Login" AND ll_eventStatus = "Failure"
WITH THE SAME ll_sourceIP
HAVING AT LEAST 2 DISTINCT ll_targetUser

For that, you need to add an extra line before the block content: RULE <rule name>

You also need to use the date pickers (see below screenshot) to get the time range for the search.

Then click OK. The correlation search will be run to retrieve results. You can access the same set of columns as in the advanced search page. You can, for example, create a visualization like the following based on those results:

Using a pre-computed result set from a correlation search query

In the same way as for regular queries, the last option in the form allows you to pick the results of an existing correlation search, which is currently opened in a tab.

Saving the Spotfire Analysis for later reuse and sharing

The Spotfire analysis can be saved as a local file (.dxp files) or can be put in the shared Library on the Spotfire server.

In both cases, when opening the analysis the settings of the LMI data source are displayed, in case changes are needed, especially with user and password. Changing the query may involve changing the criteria on sys_eventTime, any other changes may lead to problems with the analysis if the result set does not have the same set of columns as the original one.

Also, when saving an analysis from an existing result set, if the tab has been closed or the LMI appliance restarted, the results will not be any more available. In such a situation it is advised to save the data into the analysis.

Using the Web Player, it is possible to access shared analysis from the Spotfire Library.

View the Wiki Page