Hello Seniors, Hope all is well.

I have a few doubts here , I have scheduled Data Export on Collector at 01:30 AM every day which export data older than 1 day and ignore data older than 2 days, now, CM import this data at 05:00 AM every day.

however, while fetching the Report/Data from CM while not selecting any Remote Data Source(collector) I am getting different count of result and after selecting the Remote Data Source(collector) I am getting more count of result.

In this case consider that, we have only one collector, which sends data to CM. Also, I am fetching the data older than 1 OR 2 days only not on same day.

Could you please help me with this to understand it. Thanks much.

Howdy!
Just a couple of quick thoughts.
1) make sure the first time you setup the export that you make sure the "parents" go with the data.

store next_export_static on
2) make sure the export is complete before you import. Your timing looks good unless there is a huge amount of data. 

I hope this helps.
Jennifer

------------------------------
Jennifer Dodson
------------------------------

Original Message:
Sent: Fri December 11, 2020 01:05 PM
From: Parmar Shashikantbhai
Subject: How CM Import the Data from Collector and shows the Report/Results

Hello Seniors, Hope all is well.

I have a few doubts here , I have scheduled Data Export on Collector at 01:30 AM every day which export data older than 1 day and ignore data older than 2 days, now, CM import this data at 05:00 AM every day.

however, while fetching the Report/Data from CM while not selecting any Remote Data Source(collector) I am getting different count of result and after selecting the Remote Data Source(collector) I am getting more count of result.

In this case consider that, we have only one collector, which sends data to CM. Also, I am fetching the data older than 1 OR 2 days only not on same day.

Could you please help me with this to understand it. Thanks much.

------------------------------
Sincerely,
Akash Parmar
------------------------------

Hi Akash,

I think that reporting from CM use the logs that the CM has in its own database unless you specify a collector for data gathering. This is why you get more results if you select Remote Data Source(collector). May be you can do some test to check it.

Regards.

------------------------------
Miguel Garcia Gimenez
Cibersecurity Expert at Nologin Consulting S.L
IBM Partner
------------------------------

Original Message:
Sent: Fri December 11, 2020 01:05 PM
From: Parmar Shashikantbhai
Subject: How CM Import the Data from Collector and shows the Report/Results

Hello Seniors, Hope all is well.

I have a few doubts here , I have scheduled Data Export on Collector at 01:30 AM every day which export data older than 1 day and ignore data older than 2 days, now, CM import this data at 05:00 AM every day.

however, while fetching the Report/Data from CM while not selecting any Remote Data Source(collector) I am getting different count of result and after selecting the Remote Data Source(collector) I am getting more count of result.

In this case consider that, we have only one collector, which sends data to CM. Also, I am fetching the data older than 1 OR 2 days only not on same day.

Could you please help me with this to understand it. Thanks much.

------------------------------
Sincerely,
Akash Parmar
------------------------------

Hi Miguel , Thank you for your valuable time to reply on this.

Just to tell you that, As per my understanding Collector sending all the data to the CM while exporting to CM then CM import all the data to it. So, i think CM should show/fetch correct data for selected timeframe regardless of whether we select Remote Data Source as collector. Please if you can help me to clear this doubt. Thank you.

Hi Parmar,

I think you are right with that. However, data export/import happen just once in a day. It means that if you configure some reporting on CM before export/import jobs, you just be able to see the logs imported from last day.

For example, if export/import happen at 01:30 AM/05:00 AM respectively, CM log searching just be able to report data from previous day if this reporting is done before 05:00AM unless you specify the collector with " Remote Data Source" option.

In conclusion, I think that data in the database of the CM is from previously day due to import job happens just once in a day. If you want some data that only is stored in the collector up to the execution of some export/import jobs, you have to specify it with " Remote Data Source" option.

Regards.

------------------------------
Miguel Garcia Gimenez
Cibersecurity Expert at Nologin Consulting S.L
IBM Partner
------------------------------

Original Message:
Sent: Wed December 16, 2020 09:00 AM
From: Parmar Shashikantbhai
Subject: How CM Import the Data from Collector and shows the Report/Results

Hi Miguel , Thank you for your valuable time to reply on this.

Just to tell you that, As per my understanding Collector sending all the data to the CM while exporting to CM then CM import all the data to it. So, i think CM should show/fetch correct data for selected timeframe regardless of whether we select Remote Data Source as collector. Please if you can help me to clear this doubt. Thank you.

------------------------------
Parmar Shashikantbhai

Original Message:
Sent: Wed December 16, 2020 08:33 AM
From: Miguel Garcia Gimenez
Subject: How CM Import the Data from Collector and shows the Report/Results

Hi Akash,

I think that reporting from CM use the logs that the CM has in its own database unless you specify a collector for data gathering. This is why you get more results if you select Remote Data Source(collector). May be you can do some test to check it.

Regards.

------------------------------
Miguel Garcia Gimenez
Cibersecurity Expert at Nologin Consulting S.L
IBM Partner

Original Message:
Sent: Fri December 11, 2020 01:05 PM
From: Parmar Shashikantbhai
Subject: How CM Import the Data from Collector and shows the Report/Results

Hello Seniors, Hope all is well.

I have a few doubts here , I have scheduled Data Export on Collector at 01:30 AM every day which export data older than 1 day and ignore data older than 2 days, now, CM import this data at 05:00 AM every day.

however, while fetching the Report/Data from CM while not selecting any Remote Data Source(collector) I am getting different count of result and after selecting the Remote Data Source(collector) I am getting more count of result.

In this case consider that, we have only one collector, which sends data to CM. Also, I am fetching the data older than 1 OR 2 days only not on same day.

Could you please help me with this to understand it. Thanks much.

------------------------------
Sincerely,
Akash Parmar
------------------------------

Hi Miguel , Thank you for the reply on this.

Just to tell you that, from CM I am trying to see the Older Data(previous day) , it means CM has all the previous day data. in our environment we are exporting and importing everyday. So, at least CM should fetch / show the data of previous day to itself only without selecting any remote data source(collector). but, it is not showing all the data but collector shows more data there for same timeframe OR day.

Thanks again for the reply.

Hi Miguel,

I think I got the point. I have to check my Merge Period on CM/Agg. Please refer below tech. note.


https://www.ibm.com/support/pages/guardium-reports-are-not-showing-any-data