Kaspersky Next XDR Expert

Analytics

Analytics

KUMA provides extensive analytics on the data available to the program from the following sources:

Events in storage
Alerts
Assets
Accounts imported from Active Directory
Data from collectors on the number of processed events
Metrics

You can configure and receive analytics in the Dashboard, Reports, and Source status sections of the KUMA Console. Analytics are built by using only the data from tenants that the user can access.

The date format depends on the localization language selected in the application settings. Possible date format options:

English localization: YYYY-MM-DD.
Russian localization: DD.MM.YYYY.

In this section

Dashboard

Reports

Widgets

Page top

Dashboard

In the Dashboard section, you can monitor the security status of your organization's network.

The dashboard is a set of widgets that display network security data analytics. You can view data only for those tenants to which you have access.

A selection of widgets used in the dashboard is called a layout. You can create layouts manually or use predefined layouts. You can edit widget settings in predefined layouts as necessary. By default, the dashboard displays the Alerts Overview predefined layout.

Only users with the Main administrator, Tenant administrator, Tier 2 analyst, and Tier 1 analyst roles can create, edit, or delete layouts. Users accounts with all roles can view layouts and set default layouts. If a layout is set as default, that layout is displayed for the account every time the user navigates to the Dashboard section. The selected default layout is saved for the current user account.

The information on the dashboard is updated in accordance with the schedule configured in layout settings. If necessary, you can force the update of the data.

For convenient presentation of information on the dashboard, you can enable TV mode. This mode lets you view the dashboard in full-screen mode in FullHD resolution. In TV mode, you can also configure a slide show display for the selected layouts.

In this section

Creating a dashboard layout

Selecting a dashboard layout

Selecting a dashboard layout as the default

Editing a dashboard layout

Deleting a dashboard layout

Enabling and disabling TV mode

Predefined dashboard layouts

Page top

Creating a dashboard layout

Expand all | Collapse all

To create a layout:

Open the KUMA Console and select the Dashboard section.
Open the drop-down list in the top right corner of the Dashboard window and select Create layout.
The New layout window opens.
In the Tenants drop-down list, select the tenants that will own the created layout and whose data will be used to fill the widgets of the layout.
The selection of tenants in this drop-down list does not matter if you want to create a universal layout (see below).
In the Time period drop-down list, select the time period from which you want to get analytics:
- If you want to specify an exact date, in the calendar on the left, select the start and end date of the period and click Apply.
  You can select a date up to and including the current date. The date and time format depends on your browser settings. If the Date from or Date to field has a value and you have not edited the time value manually, when you select a date in the calendar, the Date from field is automatically populated with 00:00:00.000, and the Date to field with 23:59:59.999. If you have manually deleted the value in the Date from or Date to field, when you select a date in the calendar, the field is automatically populated with the current time. After you select a value in one of the fields, the focus switches to the other field. If your Date to is earlier than your Date from, this earlier value is automatically inserted into the Date from field.
- If you want to specify a relative period, select one of the available periods in the Relative period list on the right.
  The period is calculated relative to the current time.
- If you want to specify a custom period, edit the value of the Date from and Date to fields.
  You can enter an exact date and time in the DD.MM.YYYY HH:mm:ss.SSS format for the Russian localization and YYYY-MM-DD HH:mm:ss.SSS for the English localization or a period relative to the current time as a formula. You can also combine these methods if necessary. If you do not specify milliseconds when entering the exact date, 000 is substituted automatically. If you have edited the time in the Date from or Date to fields, picking a date in the calendar does not change the time component.
  
  In the relative period formulas, you can use the now parameter for the current date and time and the interval parameterization language: + (only in the Date to field), -, / (rounding to the nearest), as well as time units: y (year), M (month), w (week), d (day), h (hour), m (minute), s (second). For example, you can specify the period now-5d to get data for the last five days, or now/w to get data from the beginning of the first day of the current week (00:00:00:000 UTC) to the current time (now).
  
  The Date from field is required, and its value cannot exceed the value of the Date from field, and also cannot be earlier than 1970-01-01 (if specifying an exact date or a relative period). The Date to cannot be earlier than the Date from. If you do not specify a value in the Date from field, now is specified automatically.
By default, the 1 day (now-1d) relative period is selected. The bounds of the period are inclusive: for example, for the Today time range, events are displayed from the beginning (00:00:00:000 UTC) of the current day to the current time (now) inclusive, and for the Yesterday period, events are displayed from the beginning (00:00:00:000 UTC) of the previous day to 00:00:00:000 UTC of the current day.

KUMA stores time values in UTC, but in the user interface time is converted to the time zone of your browser. This is relevant to the relative periods: Today, Yesterday, This week, and This month. For example, if the time zone in your browser is UTC+3, and you select Today as the data display period, data will be displayed for the period from 03:00:00.000 until now, not from 00:00:00.000 until now.

If you want to take your time zone into account when selecting a relative data display period, such as Today, Yesterday, This week, or This month, you need to manually add a time offset in the Date from and Date to fields (if a value other than now is specified) by adding or subtracting the correct number of hours. For example, if your browser's time zone is UTC+3 and you want to display data for Yesterday, you need to change Date from to now-1d/d-3h and Date to to now/d-3h. If you want to display data for the Today period, you only need to change the value in the Date from field to now/d-3h.

If you need results up to 23:59:59:999 UTC of yesterday, you can use an SQL query with a filter by Timestamp or specify an exact date and time.
In the Refresh every drop-down list, select how often data should be updated in layout widgets:
- never — never refresh data in widgets of the layout
- 1 minute
- 5 minutes
- 15 minutes
- 1 hour (default)
- 3 hours
- 6 hours
- 12 hours
- 24 hours
In the Add widget drop-down list, select the required widget and configure its settings. You can add multiple widgets. You can drag widgets around the window and resize them using the button that appears when you hover the mouse over a widget.
The following limitations apply to widgets with the Pie chart, Bar chart, Line chart, Counter, and Date Histogram chart types:
- In SELECT queries, you can use extended event schema fields of "String", "Number", and "Float" types.
- In WHERE queries, you can use all types of extended event schema fields ("String", "Number", "Float", "Array of strings", "Array of numbers", and "Array of floats").
For widgets with the Table chart type, in SELECT queries, you can use all types of extended event schema fields ("String", "Number", "Float", "Array of strings", "Array of numbers", and "Array of floats").

You can do the following with widgets:
- Add widgets.
  To add widget:
  1. Click the Add widget drop-down list and select required widget.
    The window with widget parameters opens. You can see how the widget will look like by clicking the Preview button.
  2. Configure widget parameters and click the Add button.
- Edit widgets.
  To edit widget:
  1. Hover the mouse over the required widget and clicking the icon that appears.
  2. In the drop-down list select Edit.
    The window with widget parameters opens. You can see how the widget will look like by clicking the Preview button.
  3. Update widget parameters and click the Save button.
You can edit and delete a widget added to the layout by hovering over the widget, clicking the icon that appears, and then selecting Edit or Delete.
In the Layout name field, enter a unique name for this layout. Must contain 1 to 128 Unicode characters.
If necessary, click the icon on the right of the layout name field and select the check boxes next to the additional layout settings:
- Universal—if you select this check box, layout widgets display data from tenants that you select in the Selected tenants section in the menu on the left. This means that the data in the layout widgets will change based on your selected tenants without having to edit the layout settings. For universal layouts, tenants selected in the Tenants drop-down list are not taken into account.
  If this check box is cleared, layout widgets display data from the tenants that are selected in the Tenants drop-down list in the layout settings. If any of the tenants selected in the layout are not available to you, their data will not be displayed in the layout widgets.
  
  You cannot use the Active lists and context tables widget in universal layouts.
  
  Universal layouts can only be created and edited by General administrators. Such layouts can be viewed by all users.
- Show CII-related data—if you select this check box, layout widgets will also show data on assets, alerts, and incidents related to critical information infrastructure (CII). In this case, these layouts will be available for viewing only by users whose settings have the Access to CII facilities check box selected.
  If this check box is cleared, layout widgets will not display data on CII-related assets, alerts, and incidents, even if the user has access to CII objects.
Click Save.

The new layout is created and is displayed in the Dashboard section of the KUMA Console.

Page top

Selecting a dashboard layout

To select a dashboard layout:

Expand the list in the upper right corner of the Dashboard window.
Select the relevant layout.

The selected layout is displayed in the Dashboard section of the KUMA Console.

Page top

Selecting a dashboard layout as the default

To set a dashboard layout as the default:

In the KUMA Console, select the Dashboard section.
Expand the list in the upper right corner of the Dashboard window.
Hover the mouse cursor over the relevant layout.
Click the icon.

The selected layout is displayed on the dashboard by default.

Page top

Editing a dashboard layout

To edit a dashboard layout:

In the KUMA Console, select the Dashboard section.
Expand the list in the upper right corner of the window.
Hover the mouse cursor over the relevant layout.
Click the icon.
The Customizing layout window opens.
Make the necessary changes. The settings that are available for editing are the same as the settings available when creating a layout.
Click the Save button.

The dashboard layout is edited and displayed in the Dashboard section of the KUMA Console.

If the layout is deleted or assigned to a different tenant while are making changes to it, an error is displayed when you click Save. The layout is not saved. Refresh the KUMA Console page to see the list of available layouts in the drop-down list.

Page top

Deleting a dashboard layout

To delete layout:

In the KUMA Console, select the Dashboard section.
Expand the list in the upper right corner of the window.
Hover the mouse cursor over the relevant layout.
Click the icon and confirm this action.

The layout is deleted.

Page top

Enabling and disabling TV mode

It is recommended to create a separate user with the minimum required set of right to display analytics in TV mode.

To enable TV mode:

In the KUMA Console, select the Dashboard section.
Click the button in the upper-right corner.
The Settings window opens.
Move the TV mode toggle switch to the Enabled position.
To configure the slideshow display of the layouts, do the following:
1. Move the Slideshow toggle switch to the Enabled position.
2. In the Timeout field, indicate how many seconds to wait before switching layouts.
3. In the Queue drop-down list, select the layouts to view. If no layout is selected, the slideshow mode displays all layouts available to the user one after another.
4. If necessary, change the order in which the layouts are displayed using the button to drag and drop them.
Click the Save button.

TV mode will be enabled. To return to working with the KUMA Console, disable TV mode.

To disable TV mode:

Open the KUMA Console and select the Dashboard section.
Click the button in the upper-right corner.
The Settings window opens.
Move the TV mode toggle switch to the Disabled position.
Click the Save button.

TV mode will be disabled. The left part of the screen shows a pane containing sections of the KUMA Console.

When you make changes to the layouts selected for the slideshow, those changes will automatically be applied to the active slideshow sessions.

Page top

Predefined dashboard layouts

KUMA comes with a set of predefined layouts: The default refresh period for predefined layouts is Never. You can edit these layouts as needed.

Predefined layouts

Layout name	Description of widgets in the layout
Alerts Overview	Active alerts—number of alerts that have not been closed. Unassigned alerts—number of alerts that have the New status. Latest alerts—table with information about the last 10 unclosed alerts belonging to the tenants selected in the layout. Alerts distribution—number of alerts created during the period configured for the widget. Alerts by priority—number of unclosed alerts grouped by their priority. Alerts by assignee—number of alerts with the Assigned status. The grouping is by account name. Alerts by status—number of alerts that have the New, Opened, Assigned, or Escalated status. The grouping is by status. Affected users in alerts—number of users associated with alerts that have the New, Assigned, or Escalated status. The grouping is by account name. Affected assets—table with information about the level of importance of assets and the number of unclosed alerts they are associated with. Affected assets categories—categories of assets associated with unclosed alerts. Top event source by alerts number—number of alerts with the New, Assigned, or Escalated status, grouped by alert source (DeviceProduct event field). The widget displays up to 10 event sources. Alerts by rule—number of alerts with the New, Assigned, or Escalated status, grouped by correlation rules.
Incidents Overview	Active incidents—number of incidents that have not been closed. Unassigned incidents—number of incidents that have the Opened status. Latest incidents—table with information about the last 10 unclosed incidents belonging to the tenants selected in the layout. Incidents distribution—number of incidents created during the period configured for the widget. Incidents by priority—number of unclosed incidents grouped by their priority. Incidents by assignee—number of incidents with the Assigned status. The grouping is by user account name. Incidents by status—number of incidents grouped by their status. Affected assets in incidents—number of assets associated with unclosed incidents. Affected users in incidents—users associated with incidents. Affected asset categories in incidents—categories of assets associated with unclosed incidents. Active incidents by tenant—number of incidents of all statuses, grouped by tenant.
Network Overview	Netflow top internal IPs—total volume of netflow traffic received by the asset, in bytes. The data is grouped by internal IP addresses of assets. The widget displays up to 10 IP addresses. Netflow top external IPs—total volume of netflow traffic received by the asset, in bytes. The data is grouped by external IP addresses of assets. Netflow top hosts for remote control—number of events associated with access attempts to one of the following ports: 3389, 22, 135. The data is grouped by asset name. Netflow total bytes by internal ports—number of bytes sent to internal ports of assets. The data is grouped by port number. Top Log Sources by Events count—top 10 sources from which the greatest number of events was received.
[OOTB] KATA & EDR	KATA. Top-10 detections by type — visualizes the 10 most common types of events detected by the KATA system. KATA. Top-10 detections by file type — visualizes the 10 most common file types detected by the KATA system. KATA. Top-10 user names in detections — visualizes the 10 most common user names detected by the KATA system. KATA. Top-10 IDS detections — visualizes the 10 most common threats detected by the IDS module of the KATA system. KATA. Top-10 URL detections — visualizes the 10 most common suspicious URLs detected by the KATA system. KATA. Top-10 AV detections — visualizes the 10 most common threats detected by the KATA anti-virus module. EDR. Top-10 MITRE technique detections — visualizes the 10 most common MITRE ATT&CK matrix techniques detected by the EDR system. EDR. Top-10 MITRE tactic detections — visualizes the 10 most common MITRE ATT&CK matrix tactics detected by the EDR system.
[OOTB] KSC	KSC. Top-10 users with the most KAV alerts — visualizes the 10 most common user names present in events related to the detection of malicious software, information about which is contained in the KSC system. KSC. Top-10 most common threats — visualizes the 10 most common types of malware, information about which is contained in the KSC system. KSC. Number of devices that received AV database updates — visualizes the number of devices on which anti-virus database updates have been installed, information about which is contained in the KSC system. KSC. Number of devices on which the virus was found — visualizes the number of devices on which malware was detected, information about which is contained in the KSC system. KSC. Malware detections by hour — visualizes the distribution of the number of malware per hour, information about which is contained in the KSC system.
[OOTB] KSMG	KSMG. Top-10 senders of blocked emails — visualizes the 10 most common senders of email messages blocked by the KSMG system. KSMG. Top-10 events by action — visualizes the 10 most common actions performed by the KSMG system. KSMG. Top-10 events by outcome — visualizes the 10 most common results of actions performed by the KSMG system. KSMG. Blocked emails by hour — visualizes the distribution of the number of email messages blocked by the KSMG system, by hour.
[OOTB] KWTS	KWTS. Top-10 IP addresses with the most blocked web traffic — visualizes the 10 most common IP addresses from which traffic blocked by the KWTS system originated. KWTS. Top-10 IP addresses with the most allowed web traffic — visualizes the 10 most common IP addresses from which traffic allowed by the KWTS system originated. KWTS. Top 10 requests by client application — visualizes the 10 most common applications used to gain access to network resources, as detected by the KWTS system. KWTS. Top-10 blocked URLs — visualizes the 10 most common URLs from which traffic was allowed by the KWTS system. KWTS. System action types — visualizes the 10 most common actions performed by the KWTS system. KWTS. Top-10 users with the most allowed web traffic — visualizes the 10 most common user names of users whose traffic was allowed by the KWTS system.

Page top

Reports

You can configure KUMA to regularly generate reports about KUMA processes.

Reports are generated using report templates that are created and stored on the Templates tab of the Reports section.

Generated reports are stored on the Generated reports tab of the Reports section.

To save the generated reports in HTML and PDF formats, install the required packages on the device with the KUMA Core.

When deploying KUMA in a high availability version, the time zone of the Application Core server and the time in the user's browser may differ. This difference is manifested by the discrepancy between the time in reports generated by schedule and the data that the user can export from widgets. To avoid this discrepancy, it is recommended to configure the report generation schedule to take into account the difference between the users' time zone and UTC.

In this section

Report template

Generated reports

Page top

Report template

Report templates are used to specify the analytical data to include in the report, and to configure how often reports must be generated. Users with the General administrator, Tenant administrator, Tier 2 analyst, and Tier 1 analyst roles can create, edit, or delete report templates. Reports that were generated using report templates are displayed in the Generated reports tab.

Report templates are available in the Templates tab of the Reports section, where the table of existing templates is displayed. The table has the following columns:

You can configure a set of table columns and their order, as well as change data sorting:

You can enable or disable the display of columns in the menu that can be opened by clicking the icon .
You can change the order of columns by dragging the column headers.
If a table column header is green, you can click it to sort the table based on that column's data.

Name—the name of the report template.
You can sort the table by this column by clicking the title and selecting Ascending or Descending.

You can also search report templates by using the Search field that opens when you click the Name column title.

Regular expressions are used when searching for report templates.
Schedule—the rate at which reports must be generated using the template. If the report schedule was not configured, the disabled value is displayed.
Created by—the name of the user who created the report template.
Updated—the date when the report template was last updated.
You can sort the table by this column by clicking the title and selecting Ascending or Descending.
Last report—the date and time when the last report was generated based on the report template.
Send by email—the check mark is displayed in this column for the report templates that notify users about generated reports via email notifications.
Tenant—the name of the tenant that owns the report template.

You can click the name of the report template to open the drop-down list with available commands:

Run report—use this option to generate report immediately. The generated reports are displayed on the Generated reports tab.
Edit schedule—use this command to configure the schedule for generating reports and to define users that must receive email notifications about generated reports.
Edit report template—use this command to configure widgets and the time period for extracting analytics.
Duplicate report template—use this command to create a copy of the existing report template.
Delete report template—use this command to delete the report template.

In this section

Creating report template

Configuring report schedule

Editing report template

Copying report template

Deleting report template

Page top

Creating report template

Expand all | Collapse all

To create report template:

Open the KUMA Console and select Reports → Templates.
Click the New template button.
The New report template window opens.
In the Tenants drop-down list, select one or more tenants that will own the layout being created.
In the Time period drop-down list, select the time period from which you want to get analytics:
- If you want to specify an exact date, in the calendar on the left, select the start and end date of the period and click Apply.
  You can select a date up to and including the current date. The date and time format depends on your browser settings. If the Date from or Date to field has a value and you have not edited the time value manually, when you select a date in the calendar, the Date from field is automatically populated with 00:00:00.000, and the Date to field with 23:59:59.999. If you have manually deleted the value in the Date from or Date to field, when you select a date in the calendar, the field is automatically populated with the current time. After you select a value in one of the fields, the focus switches to the other field. If your Date to is earlier than your Date from, this earlier value is automatically inserted into the Date from field.
- If you want to specify a relative period, select one of the available periods in the Relative period list on the right.
  The period is calculated relative to the current time.
- If you want to specify a custom period, edit the value of the Date from and Date to fields.
  You can enter an exact date and time in the DD.MM.YYYY HH:mm:ss.SSS format for the Russian localization and YYYY-MM-DD HH:mm:ss.SSS for the English localization or a period relative to the current time as a formula. You can also combine these methods if necessary. If you do not specify milliseconds when entering the exact date, 000 is substituted automatically. If you have edited the time in the Date from or Date to fields, picking a date in the calendar does not change the time component.
  
  In the relative period formulas, you can use the now parameter for the current date and time and the interval parameterization language: + (only in the Date to field), -, / (rounding to the nearest), as well as time units: y (year), M (month), w (week), d (day), h (hour), m (minute), s (second). For example, you can specify the period now-5d to get data for the last five days, or now/w to get data from the beginning of the first day of the current week (00:00:00:000 UTC) to the current time (now).
  
  The Date from field is required, and its value cannot exceed the value of the Date from field, and also cannot be earlier than 1970-01-01 (if specifying an exact date or a relative period). The Date to cannot be earlier than the Date from. If you do not specify a value in the Date from field, now is specified automatically.
By default, the 1 day (now-1d) relative period is selected. The bounds of the period are inclusive: for example, for the Today time range, events are displayed from the beginning (00:00:00:000) of the current day to the current time (now) inclusive, and for the Yesterday period, events are displayed from the beginning (00:00:00:000) of the previous day to 00:00:00:000 of the current day.

KUMA stores time values in UTC, but in the user interface time is converted to the time zone of your browser. This is relevant to the relative periods: Today, Yesterday, This week, and This month. For example, if the time zone in your browser is UTC+3, and you select Today as the data display period, data will be displayed for the period from 03:00:00.000 until now, not from 00:00:00.000 until now.

If you want to take your time zone into account when selecting a relative data display period, such as Today, Yesterday, This week, or This month, you need to manually add a time offset in the Date from and Date to fields (if a value other than now is specified) by adding or subtracting the correct number of hours. For example, if your browser's time zone is UTC+3 and you want to display data for Yesterday, you need to change Date from to now-1d/d-3h and Date to to now/d-3h. If you want to display data for the Today period, you only need to change the value in the Date from field to now/d-3h.

If you need results up to 23:59:59:999 UTC of yesterday, you can use an SQL query with a filter by Timestamp or specify an exact date and time.
In the Retention field, specify how long you want to store reports that are generated according to this template.
In the Template name field, enter a unique name for the report template. Must contain 1 to 128 Unicode characters.
In the Add widget drop-down list, select the required widget and configure its settings. You can add multiple widgets. You can drag widgets around the window and resize them using the button that appears when you hover the mouse over a widget.
The following limitations apply to widgets with the Pie chart, Bar chart, Line chart, Counter, and Date Histogram chart types:
- In SELECT queries, you can use extended event schema fields of "String", "Number", and "Float" types.
- In WHERE queries, you can use all types of extended event schema fields ("String", "Number", "Float", "Array of strings", "Array of numbers", and "Array of floats").
For widgets with the Table chart type, in SELECT queries, you can use all types of extended event schema fields ("String", "Number", "Float", "Array of strings", "Array of numbers", and "Array of floats").

You can do the following with widgets:
- Add widgets.
  To add widget:
  1. Click the Add widget drop-down list and select required widget.
    The window with widget parameters opens. You can see how the widget will look like by clicking the Preview button.
  2. Configure widget parameters and click the Add button.
- Edit widgets.
  To edit widget:
  1. Hover the mouse over the required widget and clicking the icon that appears.
  2. In the drop-down list select Edit.
    The window with widget parameters opens. You can see how the widget will look like by clicking the Preview button.
  3. Update widget parameters and click the Save button.
You can edit and delete a widget added to the layout by hovering over the widget, clicking the icon that appears, and then selecting Edit or Delete.
You can change logo in the report template by clicking the Upload logo button.
When you click the Upload logo button, the Upload window opens and lets you choose the image file for the logo. The image must be a .jpg, .png, or .gif file no larger than 3 MB.

The added logo is displayed in the report instead of KUMA logo.
If necessary, select the Show CII-related data check box to display data on assets, alerts, and incidents related to critical information infrastructure (CII) in the layout widgets. In this case, these layouts will be available for viewing only by users whose settings have the Access to CII facilities check box selected.
If this check box is cleared, layout widgets will not display data on CII-related assets, alerts, and incidents, even if the user has access to CII objects.
Click Save.

The new report template is created and is displayed on the Reports → Templates tab of the KUMA Console. You can run this report manually. If you want to have the reports generated automatically, you must configure the schedule for that.

Page top

Configuring report schedule

To configure the report schedule:

Open the KUMA Console and select Reports → Templates.
In the report templates table, click the name of an existing report template and select Edit schedule in the drop-down list.
The Report settings window opens.
If you want the report to be generated regularly:
1. Turn on the Schedule toggle switch.
  In the Recur every group of settings, define how often the report must be generated.
  
  You can specify the frequency of generating reports by days, weeks, months, or years. Depending on the selected period, you should specify the time, day of the week, day of the month or the date of the report generation.
2. In the Time field, enter the time when the report must be generated. You can enter the value manually or using the clock icon.
To select the report format and specify the report recipients, configure the following settings:
1. In the Send to group of settings, click Add.
2. In the Add emails window that opens, in the User group section, click Add group.
3. In the field that appears, specify the email address and press Enter or click outside the entry field—the email address will be added. You can add more than one address. Reports are sent to the specified addresses every time you generate a report manually or KUMA generates a report automatically on schedule.
  You should configure an SMTP connection so that generated reports can be forwarded by email.
  
  If the recipients who received the report by email are KUMA users, they can download or view the report by clicking the links in the email. If the recipients are not KUMA users, they can follow the links but cannot log in to KUMA, so only attachments are available to them.
  
  We recommend viewing HTML reports by clicking links in the web interface, because at some screen resolutions, the HTML report from the attachment may not be displayed correctly.
  
  If you send an email without attachments, the recipients will have access to reports only by links and only with authorization in KUMA, without restrictions on roles or tenants.
4. In the drop-down list, select the report format to send. Available formats: PDF, HTML,
  CSV, split CSV
  A CSV report contains all widgets in one file.
  
  A split CSV allows you to upload individual widgets to separate files and combine these files into an archive for further distribution to specified email addresses.
  
  A CSV report contains all widgets in one file.
  
  A split CSV allows you to upload individual widgets to separate files and combine these files into an archive for further distribution to specified email addresses.
  
  A CSV report contains all widgets in one file.
  
  A split CSV allows you to upload individual widgets to separate files and combine these files into an archive for further distribution to specified email addresses.
  
  , Excel.
Click Save.

Report schedule is configured.

Page top

Editing report template

Expand all | Collapse all

To edit report template:

Open the KUMA Console and select Reports → Templates.
In the report templates table click the name of the report template and select Edit report template in the drop-down list.
The Edit report template window opens.

You can also open this window on the Reports → Generated reports tab by clicking the name of a generated report and selecting in the drop-down list Edit report template.
Make the necessary changes:
- Change the list of tenants that own the report template.
- Update the time period from which you require analytics.
- Add widgets
  To add widget:
  1. Click the Add widget drop-down list and select required widget.
    The window with widget parameters opens. You can see how the widget will look like by clicking the Preview button.
  2. Configure widget parameters and click the Add button.
- Change widgets positions by dragging them.
- Resize widgets using the button that appears when you hover the mouse over a widget.
- Edit widgets
  To edit widget:
  1. Hover the mouse over the required widget and clicking the icon that appears.
  2. In the drop-down list select Edit.
    The window with widget parameters opens. You can see how the widget will look like by clicking the Preview button.
  3. Update widget parameters and click the Save button.
- Delete widgets by hovering the mouse over them, clicking the icon that appears, and selecting Delete.
- In the field to the right from the Add widget drop-down list enter a new name of the report template. Must contain 1 to 128 Unicode characters.
- Change the report logo by uploading it using the Upload logo button. If the template already contains a logo, you must first delete it.
- Change how long reports generated using this template must be stored.
- If necessary, select or clear the Show CII-related data check box.
Click Save.

The report template is updated and is displayed on the Reports → Templates tab of the KUMA Console.

Page top

Copying report template

Expand all | Collapse all

To create a copy of a report template:

Open the KUMA Console and select Reports → Templates.
In the report templates table, click the name of an existing report template, and select Duplicate report template in the drop-down list.
The New report template window opens. The name of the widget is changed to <Report template> - copy.
Make the necessary changes:
- Change the list of tenants that own the report template.
- Update the time period from which you require analytics.
- Add widgets
  To add widget:
  1. Click the Add widget drop-down list and select required widget.
    The window with widget parameters opens. You can see how the widget will look like by clicking the Preview button.
  2. Configure widget parameters and click the Add button.
- Change widgets positions by dragging them.
- Resize widgets using the button that appears when you hover the mouse over a widget.
- Edit widgets
  To edit widget:
  1. Hover the mouse over the required widget and clicking the icon that appears.
  2. In the drop-down list select Edit.
    The window with widget parameters opens. You can see how the widget will look like by clicking the Preview button.
  3. Update widget parameters and click the Save button.
- Delete widgets by hovering the mouse over them, clicking the icon that appears, and selecting Delete.
- In the field to the right from the Add widget drop-down list enter a new name of the report template. Must contain 1 to 128 Unicode characters.
- Change the report logo by uploading it using the Upload logo button. If the template already contains a logo, you must first delete it.
Click Save.

The report template is updated and is displayed on the Reports → Templates tab of the KUMA Console.

Page top

Deleting report template

To delete report template:

Open the KUMA Console and select Reports → Templates.
In the report templates table, click the name of the report template, and select Delete report template in the drop-down list.
A confirmation window opens.
If you want to delete only the report template, click the Delete button.
If you want to delete a report template and all the reports that were generated using that template, click the Delete with reports button.

The report template is deleted.

Page top

Generated reports

All reports are generated using report templates. Generated reports are available on the Generated reports tab of the Reports section and are displayed in the table with the following columns:

You can configure a set of table columns and their order, as well as change data sorting:

You can enable or disable the display of columns in the menu that can be opened by clicking the icon .
You can change the order of columns by dragging the column headers.
If a table column header is green, you can click it to sort the table based on that column's data.

Name—the name of the report template.
You can sort the table by this column by clicking the title and selecting Ascending or Descending.
Time period—the time period for which the report analytics were extracted.
Last report—date and time when the report was generated.
You can sort the table by this column by clicking the title and selecting Ascending or Descending.
Tenant—name of the tenant that owns the report.
User—name of the user who generated the report manually. If the report was generated by schedule, the value is blank. If the report was generated in KUMA lower than 2.1, the value is blank.

You can click the name of a report to open the drop-down list with available commands:

Open report—use this command to open the report data window.
Save as—use this command to save the generated report in the desired format. Available formats: HTML, PDF, CSV, split CSV, Excel. By default, 250 rows are displayed in all formats. At most 500 values can be displayed in tables in PDF and HTML formats. If you want to output more than 500 rows in a report, set your value for the LIMIT parameter in the SQL query and save the report in CSV format.
Run report—use this option to generate report immediately. Refresh the browser window to see the newly generated report in the table.
Edit report template—use this command to configure widgets and the time period for extracting analytics.
Delete report—use this command to delete the report.

In this section

Page top

Viewing reports

To open report:

Open the KUMA Console and select Reports → Generated reports.
In the report table, click the name of the generated report, and select Open report in the drop-down list.
The new browser window opens with the widgets displaying report analytics. If a widget displays data on events, alerts, incidents, active lists, or context tables, you can click its header to open the corresponding section of the KUMA Console with an active filter and/or search query that is used to display data from the widget. Widgets are subject to default restrictions.

To download the data displayed on each widget in CSV format with UTF-8 encoding, press the CSV button. The downloaded file name has the format <widget name>_<download date (YYYYMMDD)>_<download time (HHMMSS)>.CSV.

To view the full data, download the report in the CSV format with the specified settings from the request.
You can save the report in the desired format by using the Save as button.

Page top

Generating reports

You can generate report manually or configure a schedule to have it generated automatically.

To generate report manually:

Open the KUMA Console and select Reports → Templates.
In the report templates table, click a report template name and select Run report in the drop-down list.
You can also generate report from the Reports → Generated reports tab by clicking the name of an existing report and in the drop-down list selecting Run report.

The report is generated and is displayed on the Reports → Generated reports tab.

To generate reports automatically, configure the report schedule.

Page top

Saving reports

To save the report in the desired format:

Open the KUMA Console and select Reports → Generated reports.
In the report table, click the name of the generated report, and in the drop-down list select Save as. Then select the desired format: HTML, PDF, CSV, split CSV, Excel.
The report is saved to the download folder configured in your browser.

You can also save the report in the desired format when you view it.

Page top

Deleting reports

To delete report:

Open the KUMA Console and select Reports → Generated reports.
In the report table, click the name of the generated report, and in the drop-down list select Delete report.
A confirmation window opens.
Click OK.

Page top

Widgets

Widgets let you monitor the operation of the application. Widgets are organized into widget groups, each one related to the analytics type they provide. The following widget groups and widgets are available in KUMA:

Events—widget for creating analytics based on events.
Active lists—widget for creating analytics based on active lists of correlators.
Alerts—group for alert analytics.
The group includes the following widgets:
- Active alerts—number of alerts that have not been closed.
- Active alerts by tenant—number of unclosed alerts for each tenant.
- Alerts by tenant—number of alerts of all statuses for each tenant.
- Unassigned alerts—number of alerts that have the New status.
- Alerts by assignee—number of alerts with the Assigned status, grouped by account name.
- Alerts by status—number of alerts that have the New, Opened, Assigned, or Escalated status, grouped by status.
- Alerts by severity—number of unclosed alerts grouped by their severity.
- Alerts by rule—number of unclosed alerts grouped by correlation rule.
- Latest alerts—table with information about the last 10 unclosed alerts belonging to the tenants selected in the layout.
- Alerts distribution—number of alerts created during the period configured for the widget.
Assets—group for analytics for assets from processed events. This group includes the following widgets:
- Affected assets—table with information about the level of importance of assets and the number of unclosed alerts they are associated with.
- Affected asset categories—categories of assets linked to unclosed alerts.
- Number of assets—number of assets that were added to KUMA.
- Assets in incidents by tenant—number of assets associated with unclosed incidents. The grouping is by tenant.
- Assets in alerts by tenant—number of assets associated with unclosed alerts, grouped by tenant.
Incidents—group for incident analytics.
The group includes the following widgets:
- Active incidents—number of incidents that have not been closed.
- Unassigned incidents—number of incidents that have the Opened status.
- Incidents distribution—number of incidents created during the period configured for the widget.
- Incidents by assignee—number of incidents with the Assigned status, grouped by user account name.
- Incidents by status—number of incidents grouped by status.
- Incidents by severity—number of unclosed incidents grouped by their severity.
- Active incidents by tenant—number of unclosed incidents grouped by tenant available to the user account.
- All incidents—number of incidents of all statuses.
- All incidents by tenant—number of incidents of all statuses, grouped by tenant.
- Affected assets in incidents—number of assets associated with unclosed incidents.
- Affected assets categories in incidents—asset categories associated with unclosed incidents.
- Affected users in Incidents—users associated with incidents.
- Latest incidents—table with information about the last 10 unclosed incidents belonging to the tenants selected in the layout.
Event sources—group for event source analytics. The group includes the following widgets:
- Top event sources by alerts number—number of unclosed alerts grouped by event source.
- Top event sources by convention rate—number of events associated with unclosed alerts. The grouping is by event source.
  In some cases, the number of alerts generated by sources may be inaccurate. To obtain accurate statistics, it is recommended to specify the Device Product event field as unique in the correlation rule, and enable storage of all base events in a correlation event. However, correlation rules with these settings consume more resources.
Users—group for analytics related to users from processed events. The group includes the following widgets:
- Affected users in alerts—number of accounts related to unclosed alerts.
- Number of AD users—number of Active Directory accounts received via LDAP during the period configured for the widget.

In the events table, in the event details area, in the alert window, and in the widgets, the names of assets, accounts, and services are displayed instead of the IDs as the values of the SourceAssetID, DestinationAssetID, DeviceAssetID, SourceAccountID, DestinationAccountID, and ServiceID fields. When exporting events to a file, the IDs are saved, but columns with names are added to the file. The IDs are also displayed when you point the mouse over the names of assets, accounts, or services.

Searching for fields with IDs is only possible using IDs.

In this section

Basics of managing widgets

Special considerations for displaying data in widgets

Displaying tenant names in "Active list" type widgets

Page top

Basics of managing widgets

The principle of data display in the widget depends on the type of the graph. The following graph types are available in KUMA:

Pie chart ().
Counter ().
Table ().
Bar chart ().
Date Histogram ().
Line chart.
Stacked bar chart.

Basics of general widget management

The name of the widget is displayed in the upper left corner of the widgets. By clicking the link with the name of the widget about events, alerts, incidents, or active lists, you can go to the corresponding section of the KUMA Console.

A list of tenants for which data is displayed is located under the widget name.

In the upper right corner of the widget, the period for which data is displayed on the widget is indicated (for example, 30 days ). Keep in mind that the data displayed in the dashboard may lag behind real time because of caching. You can view the date and time of the last update by hovering over the period icon.

If the Show data for previous period setting is enabled for the widget, and the widget is displaying data for a relative period, the tooltip also displays the previous period. The previous period is calculated relative to the current period as start and end values of the current period minus the duration of the current period. For example, if data is updated daily and displayed for a month, but only the first 10 days of the month have passed, the previous period is taken to be the last 10 days of the previous month.

You can change the data display period for the widget by clicking the period icon and selecting an exact date or a relative period in the window that is displayed. If you want the widget to display data for the period selected for the layout, click the Reset button. Changing the displayed period on the layout also changes the period displayed in the widget.

The time in the widget is displayed in the local time zone set in the browser.

The CSV button is located to the left of the period icon. You can download the data displayed on the widget in CSV format (UTF-8 encoding). The downloaded file name has the format <widget name>_<download date (YYYYMMDD)>_<download time (HHMMSS)>.CSV.

The widget displays data for the period selected in widget or layout settings only for the tenants that are selected in widget or layout settings.

Basics of managing "Pie chart" graphs

A pie chart is displayed under the list of tenants. You can left-click the selected segment of the diagram to go to the relevant section of the KUMA Console. The data in that section is sorted in accordance with the filters and/or search query specified in the widget.

Under the period icon, you can see the number of events, active lists, assets, alerts, or incidents grouped by the selected criteria for the data display period.

Examples:

In the Alerts by status widget, under the period icon, the number of alerts grouped by the New, Open, Assigned, or Escalated status is displayed.
If you want to see the legend only for alerts with the Opened and Assigned status, you can clear the check boxes to the left of the New and Escalated statuses.
In the Events widget, for which the SQL query SELECT count(ID) AS `metric`, Name AS `value` FROM `events` GROUP BY Name ORDER BY `metric` DESC LIMIT 10 is specified, 10 events are displayed below the period icon, grouped by name and sorted in descending order.
If you want to view events with specific names in the legend, you can clear the check boxes to the left of the names of events that you do not want to see in the legend.

Basics of managing "Counter" graphs

Graphs of this type display the sum total of selected data.

Example:

The Number of assets widget displays the total number of assets added to KUMA.

Basics of managing "Table" graphs

Graphs of this type display data in a table format.

Example:

In the Events widget, for which the SQL query SELECT TenantID , Timestamp , Name , DeviceProduct , DeviceVendor FROM `events` LIMIT 10 is specified, displays an event table with TenantID, Timestamp, Name, DeviceProduct, and DeviceVendor columns. The table contains 10 rows.

Basics of managing "Bar chart" graphs

A bar chart is displayed below the list of tenants. You can left-click the selected diagram section to go to the Events section of the KUMA Console. The data in that section is sorted in accordance with the filters and/or search query specified in the widget. To the right of the chart, the same data is represented as a table.

Example:

In the a Netflow top internal IPs widget for which the SQL query SELECT sum(BytesIn) AS metric, DestinationAddress AS value FROM `events` WHERE (DeviceProduct = 'netflow' OR DeviceProduct = 'sflow') AND (inSubnet(DestinationAddress, '10.0.0.0/8') OR inSubnet(DestinationAddress, '172.16.0.0/12') OR inSubnet(DestinationAddress, '192.168.0.0/16')) GROUP BY DestinationAddress ORDER BY metric DESC LIMIT 10 is specified, the x-axis of the chart corresponds to the total traffic in bytes, and the y-axis corresponds to destination port addresses. The data is grouped by destination address in descending order of total traffic.

Basics of managing "Date Histogram" graphs

A date histogram is displayed below the list of tenants. You can left-click the selected section of the chart to go to the Events section of the KUMA Console with the relevant data. The data in that section is sorted in accordance with the filters and/or search query specified in the widget. To the right of the chart, the same data is represented as a table.

Example:

In the Events widget, for which the SQL query SELECT count(ID) AS `metric`, Timestamp AS `value` FROM `events` GROUP BY Timestamp ORDER BY `metric` DESC LIMIT 250 is specified, the x-axis of the diagram corresponds to event creation date, and the y-axis corresponds to the approximate number of events. Events are grouped by creation date in descending order.

Basics of managing "Line chart" graphs

A line chart is displayed below the list of tenants. You can left-click the selected section of the chart to go to the Events section of the KUMA Console with the relevant data. The data in that section is sorted in accordance with the filters and/or search query specified in the widget. To the right of the chart, the same data is represented as a table.

Example:

In the Events widget, for which the SQL query SELECT count(ID) AS `metric`, SourcePort AS `value` FROM `events` GROUP BY SourcePort ORDER BY `value` ASC LIMIT 250 is specified, the x-axis corresponds to the approximate port number, and the y-axis corresponds to the number of events. The data is grouped by port number in ascending order.

Basics of managing "Stacked bar chart" graphs

A stacked bar chart with a legend is displayed below the list of tenants. The legend displays the names of categories by which the bars are sliced. To the left of each category is a check box that lets you hide or show the category. The number of bars in the chart corresponds to the number of values in the selected grouping. The bars have captions. The color of the corresponding category in the bar is assigned automatically. When you hover over the zones of the bars, a tooltip is displayed with the value and a description of the value. You can left-click the selected diagram section to go to the Events section of the KUMA Console.

The meaning of bar height depends on the Format setting:

If the Absolute values format is configured, the height of the bars corresponds to the sum of the values of the measured figure.
If the Relative values, % format is configured, all bars have the same height of 100%, and the relative heights of colored zones on the bars correspond to the ratios of the values.

If, when creating a custom widget based on the stacked bar chart, you selected the Show data for previous period option, and the standard value, category, metric aliases are used in the query, the chart displays previous-period data as separate bars. However, if instead of the standard metric, the query uses a custom metric calculation with non-standard aliases, the Show data for previous period is not taken into account when displaying the chart (see example queries below).

Examples:

When creating a custom widget of the Stacked bar chart type based on an SQL query of an Events widget, the following rules apply:

The field in the query that is specified as the value alias (mandatory) is used in the chart as the field by which the legend is created and the bars are divided into categories.
The field in the query that is specified as the category alias (mandatory) is used in the chart as the field that defines the arrangement of bars along the X axis.
The field in the query specified as the metric alias is used in the chart as the field that defines how bar areas are counted. In this case, the distribution is performed automatically.

However, you can manage the count by using standard aggregation functions (sum, avg, min, max, count) and your own arbitrarily named aliases as metrics instead of the standard metric alias (in this case, the display of data for the previous period is not supported).

Example 1:

For the Events widget, the following SQL query is specified with standard aliases, and the Show data for previous period option was selected when creating the widget:

SELECT count(ID) AS `metric`,

Type AS `value`,

TenantID AS `category`

FROM `events`

GROUP BY value, category

ORDER BY metric DESC

The X-axis stands for tenants (the field specified as the category), the Y-axis stands for the number of events of a certain type (the field specified as the value). Inside each bar, the quantity corresponding to a certain type is represented by a certain color. In the legend, the names of the event types by which the bars are divided are displayed as categories. Each category has an automatically assigned corresponding color on the bar. If you want to view only certain event types in the chart, you can clear or select the check boxes to the left of the corresponding event types in the legend.

Next to each bar, an additional bar is displayed with historical data, if such data was received in the query response.

Example 2:

For the Events widget, the following SQL query is specified with custom metrics specified as the Base and Audit aliases instead of the standard metric alias:

SELECT SUM(IF (Type = 1,1,0)) AS `Base`,

SUM(IF (Type = 4,1,0)) AS `Audit`,

TenantID as `category`

FROM `events`

GROUP BY category

The X-axis stands for tenants (the field specified as category), the Y-axis stands for the number of events of each type (custom metrics specified as Base and Audit). Inside each bar, the quantity corresponding to a certain metric is represented by a certain color. In the legend, the Base and Audit metrics by which the bars are divided into categories are displayed as category names. Each category has an automatically assigned corresponding color on the bar. If you want to view only event corresponding to a certain metric in the chart, you can clear or select the check boxes to the left of the relevant metric in the legend.

The additional bar with historical data is not displayed for a query with custom metrics, even if the Show data for previous period option was selected when creating the widget.

Example 3:

For the Events widget, the following SQL query is specified with standard aliases:

SELECT count(ID) AS `metric`,

TenantID as `value`,

Type as `category`

FROM events

GROUP BY value, category

ORDER BY metric DESC

In contrast to the similar query in example 1, in this case, the X-axis stands for the types of events (the field specified as the category), and the tenants (the field specified as the value) are represented by ranges of values in the bars (along the X axis) and the corresponding captions in the legend.

Example 4:

For the Events widget, the following SQL query is specified with standard aliases:

SELECT count(ID) AS `metric`,

CAST(fromUnixTimestamp64Milli(Timestamp) AS DATE) AS `category`,

Type as `value`

FROM `events`

GROUP BY category, value

ORDER BY category DESC

The chart displays the days of the month on the X axis (the field specified as the category). The Y axis displays the number of events of a particular type (the field specified as the value).

To create a similar chart with bars arranged by date and/or time, use a query with grouping and sorting by the following fields of the timestamp type:

Timestamp
DeviceCustomDate1
DeviceCustomDate2
EndTime
FileCreateTime
FileModificationTime
FlexDate1
OldFileCreateTime
OldFileModificationTime
DeviceReceiptTime
StartTime

We recommend using the Date Histogram to work with data that is arranged by date and/or time.

Page top

Special considerations for displaying data in widgets

Limitations for the displayed data

For improved readability, KUMA has limitations on the data displayed in widgets depending on its type:

Pie chart displays a maximum of 20 slices.
Bar chart displays a maximum of 40 bars.
Table displays a maximum of 500 entries.
Date histogram displays a maximum of 365 days.

Data that exceeds the specified limitations is displayed in the widget in the Other category.

You can download the full data used for building analytics in the widget in CSV format.

Summing up the data

The format of displaying the total sum of data on date histogram, bar chart and pie chart depends on the locale:

English locale: decades (every three digits) are separated by commas, the decimal part is separated by a period.
Russian locale: decades (every three digits) are separated by spaces, the decimal part is separated by a comma.

Page top

Creating a widget

You can create a widget in a dashboard layout while creating or editing the layout.

To create a widget:

Create a layout or switch to editing mode for the selected layout.
Click Add widget.
Select a widget type from the drop-down list.
This opens the widget settings window.
Edit the widget settings.
If you want to see how the data will be displayed in the widget, click Preview.
Click Add.

The widget appears in the dashboard layout.

Page top

Editing a widget

To edit widget:

In the KUMA Console, select the Dashboard section.
Expand the list in the upper right corner of the window.
Hover the mouse cursor over the relevant layout.
Click the button.
The Customizing layout window opens.
In the widget you want to edit, click .
Select Edit.
This opens the widget settings window.
Edit the widget settings.
Click Save in the widget settings window.
Click Save in the Customizing layout window.

The widget is edited.

Page top

Deleting a widget

To delete a widget:

In the KUMA Console, select the Dashboard section.
Expand the list in the upper right corner of the window.
Hover the mouse cursor over the relevant layout.
Click the button.
The Customizing layout window opens.
In the widget you want to delete, click .
Select Delete.
This opens a confirmation window; in that window, click OK.
Click the Save button.

The widget is deleted.

Page top

Widget settings

This section describes the settings of all widgets available in KUMA.

In this section

"Events" widget

"Active lists" widget

"Context tables" widget

"Assets" customized widget

Other widgets

Page top

"Events" widget

Expand all | Collapse all

You can use the Events widget to get analytics based on SQL queries.

When creating this widget, you must specify the settings described in the tables below.

Tab Selectors

The following table lists the settings on the Selectors tab.

Description of parameters

Setting	Description
Graph	Graph type. The following graph types are available: Pie chart. Bar chart. Counter. Line chart. Table. Date Histogram. Stacked bar chart.
Format	Data display format: Absolute values or Relative values, %. The setting is available for a Stacked bar chart. If you select the Absolute values format, the heights of the bars correspond to the sum of the values of the measured indicator. If you select the Relative values, % format, all bars have the same height of 100%, and the relative heights of colored zones on the bars correspond to the ratios of indicator values. By default, Absolute values is selected.
Tenant	The tenant for which data is displayed in the widget. You can select multiple tenants. By default, data is displayed for tenants selected in layout settings.
Time period	Period for which data is displayed in the widget. The default is As layout, meaning that data is displayed for the period selected for the layout. You can also specify a period for the widget in one of the following ways: Select the exact start and end date and time of the period in the calendar and click Apply. Select a period relative to the present time in the Relative period list. Specify a value manually: select an exact date and time or a relative period, or a combination of both. For details, see the Configuring a period subsection below.
Show data for previous period	Enable the display of data for two periods at the same time: for the current period and for the previous period. When using a Stacked bar chart, the Show data for previous period setting is taken into account if the query contains standard aliases: `value`, `category`, `metric`. However, if instead of the standard `metric`, the query uses a custom metric calculation with non-standard aliases, the Show data for previous period is not taken into account.
Storage	Storage that is searched for events. The list displays the available spaces. You can select only one storage, but you can select one or more spaces. The values in the Storage field are independent of the selected tenants in the Tenant field. The field displays storages and spaces, like in the Events section. When a new space is created in the storage, this new space is not selected by default in the widget settings. You must manually select the new space. If the user has access to all spaces listed in the widget, the widget can display the event information for tenants specified in the space set in the user's permissions. If the user does not have access rights to one or more spaces of the storage, the widget cannot display information; the user cannot edit the widget, but can duplicate the widget using the Duplicate button. Duplication does not depend on access rights to spaces. If a template is duplicated in widgets that have spaces specified that are not accessible to the user, the value in the Storage field is reset. Such widgets display an error: Access denied (Operation returns no results because of allowed and selected event spaces). To save the template, you need to specify spaces in widgets. In widgets that have spaces that are accessible to the user, the value of the Storage field is not reset and is saved when the template is duplicated. When the user downloads the template, the data of inaccessible files are hidden in the downloaded file. If the user's email address is included in the list of recipients of the scheduled report, the user gets the full version of the report, regardless of which spaces are accessible.
SQL query field ()	Query for filtering and searching for events manually. You can create a query in Builder by clicking . For detailed information on creating an SQL query in the query constructor, see below. The following limitations apply: The `metric` and `value` aliases in SQL queries cannot be edited for any type of event analytics widget, except tables. Aliases in widgets of the Table type can contain Latin and Cyrillic characters, as well as spaces. When using spaces or Cyrillic, the alias must be enclosed in quotation marks: `"An alias with a space"`, `Another alias`. `ARRAY JOIN` SQL queries are not supported. When displaying data for the previous period, sorting by the `count(ID)` parameter may not work correctly. We recommend sorting by the `metric` parameter. For example, SELECT count(ID) AS "metric", Name AS "value" FROM `events` GROUP BY Name ORDER BY metric ASC LIMIT 250. In widgets of the Counter type, you must specify the method of data processing for the values of the `SELECT` function: `count`, `max`, `min`, `avg`, `sum`.

Configuring a period

To configure the data display period, do one of the following:

If necessary, change the date and time in the Time period setting in one of the following ways:
- If you want to specify an exact date, in the calendar on the left, select the start and end date of the period and click Apply.
  You can select a date up to and including the current date. The date and time format depends on your browser settings. If the Date from or Date to field has a value and you have not edited the time value manually, when you select a date in the calendar, the Date from field is automatically populated with 00:00:00.000, and the Date to field with 23:59:59.999. If you have manually deleted the value in the Date from or Date to field, when you select a date in the calendar, the field is automatically populated with the current time. After you select a value in one of the fields, the focus switches to the other field. If your Date to is earlier than your Date from, this earlier value is automatically inserted into the Date from field.
- If you want to specify a relative period, select one of the available periods in the Relative period list on the right.
  The period is calculated relative to the current time.
- If you want to specify a custom period, edit the value of the Date from and Date to fields.
  You can enter an exact date and time in the DD.MM.YYYY HH:mm:ss.SSS format for the Russian localization and YYYY-MM-DD HH:mm:ss.SSS for the English localization or a period relative to the current time as a formula. You can also combine these methods if necessary. If you do not specify milliseconds when entering the exact date, 000 is substituted automatically. If you have edited the time in the Date from or Date to fields, picking a date in the calendar does not change the time component.
  
  In the relative period formulas, you can use the now parameter for the current date and time and the interval parameterization language: + (only in the Date to field), -, / (rounding to the nearest), as well as time units: y (year), M (month), w (week), d (day), h (hour), m (minute), s (second). For example, you can specify the period now-5d to get data for the last five days, or now/w to get data from the beginning of the first day of the current week (00:00:00:000 UTC) to the current time (now).
  
  The Date from field is required, and its value cannot exceed the value of the Date from field, and also cannot be earlier than 1970-01-01 (if specifying an exact date or a relative period). The Date to cannot be earlier than the Date from. If you do not specify a value in the Date from field, now is specified automatically.
KUMA stores time values in UTC, but in the user interface time is converted to the time zone of your browser. This is relevant to the relative periods: Today, Yesterday, This week, and This month. For example, if the time zone in your browser is UTC+3, and you select Today as the data display period, data will be displayed for the period from 03:00:00.000 until now, not from 00:00:00.000 until now.

If you want to take your time zone into account when selecting a relative data display period, such as Today, Yesterday, This week, or This month, you need to manually add a time offset in the Date from and Date to fields (if a value other than now is specified) by adding or subtracting the correct number of hours. For example, if your browser's time zone is UTC+3 and you want to display data for Yesterday, you need to change Date from to now-1d/d-3h and Date to to now/d-3h. If you want to display data for the Today period, you only need to change the value in the Date from field to now/d-3h.

If you need results up to 23:59:59:999 UTC of yesterday, you can use an SQL query with a filter by Timestamp or specify an exact date and time.

The bounds of the period are inclusive: for example, for the Today time range, events are displayed from the beginning (00:00:00:000 UTC) of the current day to the current time (now) inclusive, and for the Yesterday period, events are displayed from the beginning (00:00:00:000 UTC) of the previous day to 00:00:00:000 UTC of the current day. You can view the date and time of the last data update and the exact period for which the data is displayed by hovering over the period icon in the widget.

If the Show data for previous period setting is enabled for the widget, and the widget is displaying data for a relative period, the tooltip also displays the previous period. The previous period is calculated relative to the current period as start and end values of the current period minus the duration of the current period. For example, if data is updated daily and displayed for a month, but only the first 10 days of the month have passed, the previous period is taken to be the last 10 days of the previous month.
If you want the widget to display data for the period selected for the layout, click the Reset button. Changing the displayed period on the layout also changes the period displayed in the widget.

How to create a query in Builder

To create a query in Builder:

Specify the values of the following parameters:
1. SELECT—event fields that should be returned. The number of available fields depends on the selected graph type.
  - In the drop-down list on the left, select the event fields for which you want to display data in the widget.
  - The middle field displays what the selected field is used for in the widget: metric or value.
    If you selected the Table graph type, in the middle fields, you must specify column names using ANSII-ASCII characters.
  - In the drop-down list on the right, you can select an operation to be performed on the data:
    - count—event count. This operation is available only for the ID event field. Used by default for line charts, pie charts, bar charts, and counters. This is the only option for date histogram.
    - max is the maximum value of the event field from the event selection.
    - min is the minimum value of the event field from the event selection.
    - avg is the average value of the event field from the event selection.
    - sum is the sum of event field values from the event selection.
2. SOURCE is the type of the data source. Only the events value is available for selection.
3. WHERE—conditions for filtering events.
  - In the drop-down list on the left, select the event field that you want to use for filtering.
  - Select the necessary operator from the middle drop-down list. The available operators depend on the type of value of the selected event field.
  - In the drop-down list on the right, enter the value of the condition. Depending on the selected type of field, you may have to manually enter the value, select it from the drop-down list, or select it on the calendar.
  You can add search conditions by clicking Add condition or remove search conditions by clicking .
  
  You can also add groups of conditions by clicking Add group. By default, groups of conditions are added with the AND operator, but you can change the it if necessary. Available values: AND, OR, NOT. Group conditions are deleted using the Delete group button.
4. GROUP BY—event fields or aliases to be used for grouping the returned data. This parameter is not available for Counter graph type.
5. ORDER BY—columns used as the basis for sorting the returned data. This parameter is not available for the Date Histogram and Counter graph types.
  - In the drop-down list to the left, select the value that will be used for sorting.
  - Select the sort order from the drop-down list on the right: ASC for ascending, DESC for descending.
  - For Table type graphs, you can add sorting conditions by clicking Add column.
6. LIMIT is the maximum number of data points for the widget. This parameter is not available for the Date Histogram and Counter graph types.
Click Apply.

Example of search conditions in the query builder

WidgetCustomExample

Search condition parameters for the widget showing average bytes received per host

Tab Actions

The following table lists the settings on the Actions tab.

The tab is displayed if on the Selectors tab in the Graph field you have selected one of the following values: Bar chart, Line chart, Date Histogram.

Description of parameters

Setting	Description
Y-min and Y-max	Scale of the Y axis. Negative values can be displayed on chart axes. This is due to the scaling of charts on the widget and can be fixed by setting zero as the minimum chart values instead of Auto.
X-min and X-max	Scale of the X axis. Negative values can be displayed on chart axes. This is due to the scaling of charts on the widget and can be fixed by setting zero as the minimum chart values instead of Auto.
Line-width	Width of the line on the graph. This field is displayed for the "Line chart" graph type.
Point size	Point size on the graph. This field is displayed for the "Line chart" graph type.

Tab wrench

The following table lists the settings on the wrench tab.

Description of parameters

Setting	Description
Name	Name of the widget.
Description	Description of the widget.
Color	The color used for displaying the information: default for your browser's default font color green red blue yellow This setting is available for graphs such as Bar chart, Counter, Line chart, Date Histogram.
Horizontal	Makes the histogram horizontal instead of vertical. When this option is enabled, when a widget displays a large amount of data, horizontal scrolling is not available and all available information is fit into the fixed size of the widget. If there is a lot of data to display, it is recommended to increase the widget size.
Show total	Shows sums total of the values.
Show legend	Displays a legend for the analytics. The toggle switch is turned on by default.
Show nulls in legend	Displays parameters with a null value in the legend for analytics. The toggle switch is turned off by default.
Decimals	Number of decimals to which the displayed value must be rounded off.
Period segments length	Duration of the segments into which you want to divide the period. Available for graphs of the Date Histogram type.
Scale	Scale for displaying data. Available for a Stacked bar chart. The following values are possible: Linear Square Logarithm The default is Linear.

Page top

"Active lists" widget

You can use the Active lists widget to get analytics based on SQL queries.

When creating this widget, you must specify the settings described in the tables below.

Tab Selectors

The following table lists the settings that must be specified on the Selectors tab.

Description of parameters

Setting	Description
Graph	Graph type. The following graph types are available: Bar chart. Pie chart. Counter. Table.
Tenant	The tenant for which data is displayed in the widget. You can select multiple tenants. By default, data is displayed for tenants selected in layout settings.
Correlator	The name of the correlator that contains the active list for which you want to receive data.
Active list	The name of the active list for which you want to receive data. The same active list can be used by different correlators. However, a separate entity of the active list is created for each correlator. Therefore, the contents of the active lists used by different correlators differ even if the active lists have the same names and IDs.
SQL query field	This field lets you manually enter a query for filtering and searching active list data. The query structure is similar to that used in event search. When creating a query based on active lists, you must consider the following: For the FROM function, you must specify the `records` value. If you want to receive data for fields whose names contain spaces and Cyrillic characters, you must also enclose such names in quotes in the query: In the SELECT function, enclose aliases in double quotes or backticks: "alias", `another alias`. In the ORDER BY function, enclose aliases in backticks: `another alias`. Event field values are enclosed in straight quotes: WHERE DeviceProduct = 'Microsoft'. Names of event fields do not need to be enclosed in quotes. If the name of an active list field begins or ends with spaces, these spaces are not displayed by the widget. The field name must not contain spaces only. If the values of the active list fields contain trailing or leading spaces, it is recommended to use the LIKE '%field value%' function to search by them. In your query, you can use service fields: _key (the field with the keys of active list records) and _count (the number of times this record has been added to the active list), as well as custom fields. The "metric" and "value" aliases in SQL queries cannot be edited for any type of active lists analytics widget, except tables. If a date and time conversion function is used in an SQL query (for example, fromUnixTimestamp64Milli) and the field being processed does not contain a date and time, an error will be displayed in the widget. To avoid this, use functions that can handle a null value. Example: SELECT _key, fromUnixTimestamp64Milli(toInt64OrNull(DateTime)) as Date FROM `records` LIMIT 250. Large values for the LIMIT function may lead to browser errors. If you select Counter as the graph type, you must specify the method of data processing for the values of the SELECT function: count, max, min, avg, sum. Special considerations apply when using aliases in SQL functions and SELECT, you can use double quotes and backticks: ", `. If you selected Counter as the graph type, aliases can contain Latin and Cyrillic characters, as well as spaces. When using spaces or Cyrillic, the alias must be enclosed in quotation marks: "An alias with a space", `Another alias`. When displaying data for the previous period, sorting by the count(ID) parameter may not work correctly. It is recommended to sort by the metric parameter. For example, SELECT count(ID) AS "metric", Name AS "value" FROM `events` GROUP BY Name ORDER BY metric ASC LIMIT 250.

You can get the names of the tenants in the widget instead of their IDs.

If you want the names of tenants to be displayed in active list widgets instead of tenant IDs, in correlation rules of the correlator, configure the function for populating the active list with information about the corresponding tenant.

To configure the function:

Export the list of tenants.
Create a dictionary of the Table type and import the previously obtained list of tenants into the dictionary.
Add a local variable with the dict function for mapping the tenant name to tenant ID to the correlation rule.
Example:
- Variable: TenantName
- Value: dict ('<Name of the previously created dictionary with tenants>', TenantID)
Add an action with active lists to the correlation rule. T
his action will write the value of the previously created variable in the key-value format to the active list using the Set function. As the key, specify the field of the active list (for example, Tenant), and in the value field, reference the previously created variable (for example, $TenantName).

When this rule triggers, the name of the tenant mapped by the dict function to the ID from the tenant dictionary is placed in the active list. When creating widgets for active lists, you can get the name of the tenant by referring to the name of the field of the active list (in the example above, Tenant).

The method described above can be applied to other event fields with IDs.

Sample SQL queries for receiving analytics based on active lists:

SELECT * FROM `records` WHERE "Event source" = 'Johannesburg' LIMIT 250
This query returns the key of the active list where the field name is "Event source" and the value of this field is "Johannesburg".
SELECT count(_key) AS metric, Status AS value FROM `records` GROUP BY value ORDER BY metric DESC LIMIT 250
Query for a pie chart, which returns the number of keys in the active list ('count' aggregation over the '_key' field) and all variants of the Status custom field. The widget displays a pie chart with the total number of records in the active list, divided proportionally by the number of possible values for the Status field.
SELECT Name, Status, _count AS Number FROM `records` WHERE Description ILIKE '%ftp%' ORDER BY Name DESC LIMIT 250
Query for a table, which returns the values of the Name and Status custom fields, as well as the service field '_count' for those records of the active list in which the value of the Description custom field matches ILIKE '%ftp%'. The widget displays a table with the Status, Name, and Number columns.

Tab Actions

The following table lists the settings that must be specified on the Actions tab.

This tab is displayed if on the Selectors tab, in the Graph field, you have selected Bar chart.

Description of parameters

Settings

Description

Y-min and Y-max

Scale of the Y axis.

Negative values can be displayed on chart axes. This is due to the scaling of charts on the widget and can be fixed by setting zero as the minimum chart values instead of Auto.

X-min and X-max

Scale of the X axis.

Negative values can be displayed on chart axes. This is due to the scaling of charts on the widget and can be fixed by setting zero as the minimum chart values instead of Auto.

Tab wrench

The following table lists the settings that must be specified on the wrench tab.

Description of parameters

Setting	Description
Name	Name of the widget.
Description	Description of the widget.
Color	The color used for displaying the information: default for your browser's default font color green red blue yellow
Horizontal	Makes the histogram horizontal instead of vertical. When this setting is enabled, all available information is fitted into the configured widget size. If the amount of data is great, you can increase the size of the widget to display it optimally.
Show total	Shows sums total of the values.
Show legend	Displays a legend for the analytics. The toggle switch is turned on by default.
Show nulls in legend	Displays parameters with a null value in the legend for analytics. The toggle switch is turned off by default.

Page top

"Context tables" widget

You can use the Context tables widget to get analytics based on SQL queries.

When creating this widget, you must specify the settings described in the tables below.

Tab Selectors

The following table lists the settings that must be specified on the Selectors tab.

Description of parameters

Setting	Description
Graph	Graph type. The following graph types are available: Bar chart. Pie chart. Counter. Table.
Tenant	The tenant for which data is displayed in the widget. You can select multiple tenants. By default, data is displayed for tenants selected in layout settings.
Correlator	Name of the correlator that contains the context table for which you want to receive information.
Context table	Name of the context table for which you want to receive information. The same context table can be used in multiple correlators. However, a separate entity of the context table is created for each correlator. Therefore, the contents of the context tables used by different correlators are different even if the context tables have the same name and ID.
SQL query field	This field lets you manually enter a query for filtering and searching context table data. By default, for each widget type, the field contains a query that obtains the context table schema and the key by key fields. The query structure is similar to that used in event search. When creating a query based on context tables, you must consider the following: For the `FROM` function, you must specify the `records` value. You can get data only for the fields specified in the context table schema. You can use supported features of ClickHouse. If you want to receive data for fields whose names contain spaces and Cyrillic characters, you must also enclose such names in quotes in the query: In the `SELECT` function, enclose aliases in double quotes or backticks: `"<alias>"`, `<`another alias`>`; In the `ORDER BY` function, enclose aliases in backticks: `<`another alias`>` Event field values are enclosed in straight quotes: `WHERE DeviceProduct = 'Microsoft'` Names of event fields do not need to be enclosed in quotes. If the name of an active list field begins or ends with spaces, these spaces are not displayed by the widget. The field name must not contain spaces only. If the values of the active list fields contain trailing or leading spaces, it is recommended to use the `LIKE '%<field value>%'` function to search by them. You can use the `_count` service field (how many times this record has been added to the context table), as well as custom fields. The `metric` and `value` aliases in SQL queries cannot be edited for any type of active lists analytics widget, except tables. If a date and time conversion function is used in an SQL query (for example, `fromUnixTimestamp64Milli`) and the field being processed does not contain a date and time, an error will be displayed in the widget. To avoid this, use functions that can handle a null value. Example: SELECT _key,fromUnixTimestamp64Milli(toInt64OrNull(DateTime)) as Date FROM `records` LIMIT 250. Large values for the `LIMIT` function may lead to browser errors. If you select Counter as the chart type, you must specify the method of data processing for the values of the `SELECT` function: `count`, `max`, `min`, `avg`, `sum`. Special considerations when using aliases in SQL functions and `SELECT` statements: you may use double quotes and backticks: ", `. When using spaces or non-Latin characters, the alias must be enclosed in double quotes: `"<Alias with a space>"`, values must be enclosed in straight single quotes: `'<Value with a space>'`. When displaying data for the previous period, sorting by the `count(ID)` parameter may not work correctly. We recommend sorting by the `metric` parameter. For example, `SELECT count(ID) AS "metric"`, Name AS "value" FROM `events` GROUP BY Name ORDER BY metric ASC LIMIT 250.

You can get the names of the tenants in the widget instead of their IDs.

To configure the function:

Export the list of tenants.
Create a dictionary of the Table type and import the previously obtained list of tenants into the dictionary.
Add a local variable with the dict function for mapping the tenant name to tenant ID to the correlation rule.
Example:
- Variable: TenantName
- Value: dict ('<Name of the previously created dictionary with tenants>', TenantID)
Add an action with active lists to the correlation rule. T
his action will write the value of the previously created variable in the key-value format to the active list using the Set function. As the key, specify the field of the active list (for example, Tenant), and in the value field, reference the previously created variable (for example, $TenantName).

The method described above can be applied to other event fields with IDs.

Sample SQL queries for receiving analytics based on active lists:

SELECT * FROM `records` WHERE "Event source" = 'Johannesburg' LIMIT 250
This query returns the key of the active list where the field name is "Event source" and the value of this field is "Johannesburg".
SELECT count(_key) AS metric, Status AS value FROM `records` GROUP BY value ORDER BY metric DESC LIMIT 250
Query for a pie chart, which returns the number of keys in the active list (count aggregation over the _key field) and all variants of the Status custom field. The widget displays a pie chart with the total number of records in the active list, divided proportionally by the number of possible values for the Status field.
SELECT Name, Status, _count AS Number FROM `records` WHERE Description ILIKE '%ftp%' ORDER BY Name DESC LIMIT 250
Query for a table, which returns the values of the Name and Status custom fields, as well as the service field _count for those records of the active list in which the value of the Description custom field matches ILIKE '%ftp%'. The widget displays a table with the Status, Name, and Number columns.

Tab Actions

The following table lists the settings that must be specified on the Actions tab.

This tab is displayed if on the Selectors tab, in the Graph field, you have selected Bar chart.

Description of parameters

Setting

Description

Y-min and Y-max

Scale of the Y axis.

Negative values can be displayed on chart axes. This is due to the scaling of charts on the widget and can be fixed by setting zero as the minimum chart values instead of Auto.

X-min and X-max

Scale of the X axis.

Negative values can be displayed on chart axes. This is due to the scaling of charts on the widget and can be fixed by setting zero as the minimum chart values instead of Auto.

Tab wrench

The following table lists the settings that must be specified on the wrench tab.

Description of parameters

Settings	Description
Name	Name of the widget.
Description	Description of the widget.
Color	The color used for displaying the information: default for your browser's default font color green red blue yellow
Horizontal	Makes the histogram horizontal instead of vertical. When this setting is enabled, all available information is fitted into the configured widget size. If the amount of data is great, you can increase the size of the widget to display it optimally.
Show total	Shows sums total of the values.
Show legend	Displays a legend for the analytics. The toggle switch is turned on by default.
Show nulls in legend	Displays parameters with a null value in the legend for analytics. The toggle switch is turned off by default.

Page top

"Assets" customized widget

You can use the Assets → Customized widget to get advanced asset analytics from processed events using the query builder. In the query, you must specify the asset field and the corresponding condition or set of conditions by which you want the assets to be counted (Y-axis). You can also specify one or more additional conditions (categories) to be used for comparing the number of assets for each field.

When creating the custom widget for assets, you must specify the settings described in the tables below.

Tab Selectors

The following table describes the settings on the Selectors tab.

Description of parameters

Setting	Description

Graph	Graph type. The following graph types are available: Pie chart. The distribution of assets by the specified categories is displayed for all selected tenants. Counter. Assets are counted based on a single condition. The chart displays the sum of assets that match the condition across all selected tenants. Table. Assets are counted by the specified categories across all selected tenants. Each category in the chart has a corresponding row. The category name is displayed in the value column. The number of assets matching the condition is displayed in the metric column. Stacked bar chart Assets are counted by the specified categories across all selected tenants, and you can group assets by tenants (in this case, individual tenants are arranged along the X axis). Each category has its own zone on the bars of the chart, represented by its own color. Category names are displayed in the legend. You can use check boxes to the left of category names to hide or show the corresponding areas on the bars.
Format	This setting is available for charts of the Stacked bar chart type. Data display format: Absolute values or Relative values, %. If you select the Absolute values format, the heights of the bars correspond to the sum of the values of the measured indicator. If you select the Relative values, % format, all bars have the same height of 100%, and the relative heights of colored zones on the bars correspond to the ratios of indicator values. By default, Absolute values is selected.
Tenant	The tenant for which data is displayed in the widget. You can select multiple tenants. By default, data is displayed for tenants selected in layout settings.
Asset category	The asset category for which the widget is displaying data.
Search in uncategorized assets	This setting lets you display assets that do not have a category. This check box is cleared by default.
Select axes group of settings
Y-axis	Required setting. Asset field and the condition or set of conditions specified for this field, that define how assets are to be counted.
Y-axis category	Category for the selected field. Not used for a graph of the Counter type. This setting is optional for Y-axis fields whose values are enumerations (can be selected from a finite list of values). For all other fields, this parameter is required.
Group by tenant	This setting is available for charts of the Stacked bar chart type. Enables additional grouping of assets by tenant. If the check box is selected, assets on the chart are broken up along the X-axis into bars corresponding to individual tenants. If the check box is cleared, all assets are displayed on the same bar. This check box is cleared by default.

Tab wrench

The following table describes the settings on the wrench tab.

Description of parameters

Setting	Description
Name	Name of the widget.
Description	Description of the widget.
Show total	This setting is available for charts of the Pie chart type. Enables the display of totals in the chart, in addition to the selected categories. If this check box is enabled, the sum of the values of all specified categories is displayed in the center of the pie chart and in the legend in a separate Total column. The toggle switch is turned off by default.
Color	This setting is available for charts of the Counter type. The color used for displaying the information: default for your browser's default font color green red blue yellow
Horizontal	Makes the histogram horizontal instead of vertical. When this option is enabled, when a widget displays a large amount of data, horizontal scrolling is not available and all available information is fit into the fixed size of the widget. If there is a lot of data to display, it is recommended to increase the widget size.
Show legend	Displays a legend for the analytics. The toggle switch is turned on by default.
Show nulls in legend	Displays parameters with a null value in the legend for analytics. The toggle switch is turned off by default.
Decimals	Number of decimals to which the displayed value must be rounded off.
Scale	Available for a Stacked bar chart. Scale for displaying data. The following values are possible: Linear Square Logarithm The default is Linear.

Page top

Other widgets

This section describes the settings of all widgets except the Events and Active lists widgets.

The set of parameters available for a widget depends on the type of graph that is displayed on the widget. The following graph types are available in KUMA:

Pie chart ().
Counter ().
Table ().
Bar chart ().
Date Histogram ().
Line chart.
Stacked bar chart.

Settings for pie charts

The following table below lists the settings of a Pie chart.

Description of parameters

Setting	Description
Name	Name of the widget.
Description	Description of the widget.
Tenant	The tenant for which data is displayed in the widget. You can select multiple tenants. By default, data is displayed for tenants selected in layout settings.
Time period	Period for which data is displayed in the widget. The default is As layout, meaning that data is displayed for the period selected for the layout. You can also specify a period for the widget in one of the following ways: Select the exact start and end date and time of the period in the calendar and click Apply. Select a period relative to the present time in the Relative period list. Specify a value manually: select an exact date and time or a relative period, or a combination of both. For details, see the Configuring a period subsection below.
Show total	Shows sums total of the values.
Show legend	Displays a legend for the analytics. The toggle switch is turned on by default.
Show nulls in legend	Displays parameters with a null value in the legend for analytics. The toggle switch is turned off by default.
Decimals	Number of decimals to which the displayed value must be rounded off.

Settings for counters

The following table below lists the settings of a Counter.

Description of parameters

Setting	Description
Name	Name of the widget.
Description	Description of the widget.
Tenant	The tenant for which data is displayed in the widget. You can select multiple tenants. By default, data is displayed for tenants selected in layout settings.
Time period	Period for which data is displayed in the widget. The default is As layout, meaning that data is displayed for the period selected for the layout. You can also specify a period for the widget in one of the following ways: Select the exact start and end date and time of the period in the calendar and click Apply. Select a period relative to the present time in the Relative period list. Specify a value manually: select an exact date and time or a relative period, or a combination of both. For details, see the Configuring a period subsection below.

Settings for tables

The following table below lists the settings of a Table.

Description of parameters

Setting	Description
Name	Name of the widget.
Description	Description of the widget.
Tenant	The tenant for which data is displayed in the widget. You can select multiple tenants. By default, data is displayed for tenants selected in layout settings.
Time period	Period for which data is displayed in the widget. The default is As layout, meaning that data is displayed for the period selected for the layout. You can also specify a period for the widget in one of the following ways: Select the exact start and end date and time of the period in the calendar and click Apply. Select a period relative to the present time in the Relative period list. Specify a value manually: select an exact date and time or a relative period, or a combination of both. For details, see the Configuring a period subsection below.
Show data for previous period	Enabling the display of data for the current and previous periods simultaneously.
Color	The color used for displaying the information: default for your browser's default font color green red blue yellow
Decimals	Number of decimals to which the displayed value must be rounded off.

Settings for Bar charts, Stacked bar charts, and Date Histograms

The table below lists the settings for the Bar chart and Date Histogram type graphs located on the Actions tab.

Description of parameters

Setting

Description

Y-min and Y-max

Scale of the Y axis.

Negative values can be displayed on chart axes. This is due to the scaling of charts on the widget and can be fixed by setting zero as the minimum chart values instead of Auto.

X-min and X-max

Scale of the X axis.

Negative values can be displayed on chart axes. This is due to the scaling of charts on the widget and can be fixed by setting zero as the minimum chart values instead of Auto.

Decimals

Number of decimals to which the displayed value must be rounded off.

The table below lists the settings for the Bar chart, Stacked bar chart, and Date Histogram type graphs located on the wrench tab.

Description of parameters

Setting	Description
Name	Name of the widget.
Description	Description of the widget.
Tenant	The tenant for which data is displayed in the widget. You can select multiple tenants. By default, data is displayed for tenants selected in layout settings.
Time period	Period for which data is displayed in the widget. The default is As layout, meaning that data is displayed for the period selected for the layout. You can also specify a period for the widget in one of the following ways: Select the exact start and end date and time of the period in the calendar and click Apply. Select a period relative to the present time in the Relative period list. Specify a value manually: select an exact date and time or a relative period, or a combination of both. For details, see the Configuring a period subsection below.
Show data for previous period	Enables the display of data simultaneously for the current and previous periods.
Color	The color used for displaying the information: default for your browser's default font color green red blue yellow
Horizontal	Makes the histogram horizontal instead of vertical. When this setting is enabled, all available information is fitted into the configured widget size. If the amount of data is great, you can enlarge the widget to better fit the data.
Show total	Shows sums total of the values.
Show legend	Displays a legend for the analytics. The toggle switch is turned on by default.
Show nulls in legend	Displays parameters with a null value in the legend for analytics. The toggle switch is turned off by default.
Period segments length	Duration of the segments into which you want to divide the period. Available for graphs of the Date Histogram type.

Configuring a period

For graphs such as Pie chart, Counter, Table, Bar chart, Stacked bar chart, Date Histogram, you can configure the period for displaying data in the widget using the Period setting. By default, the data display period of the widget is the same as the data display period of the dashboard.

To configure the data display period, do one of the following:

If necessary, change the date and time in the Time period setting in one of the following ways:
- If you want to specify an exact date, in the calendar on the left, select the start and end date of the period and click Apply.
  You can select a date up to and including the current date. The date and time format depends on your browser settings. If the Date from or Date to field has a value and you have not edited the time value manually, when you select a date in the calendar, the Date from field is automatically populated with 00:00:00.000, and the Date to field with 23:59:59.999. If you have manually deleted the value in the Date from or Date to field, when you select a date in the calendar, the field is automatically populated with the current time. After you select a value in one of the fields, the focus switches to the other field. If your Date to is earlier than your Date from, this earlier value is automatically inserted into the Date from field.
- If you want to specify a relative period, select one of the available periods in the Relative period list on the right.
  The period is calculated relative to the current time.
- If you want to specify a custom period, edit the value of the Date from and Date to fields.
  You can enter an exact date and time in the DD.MM.YYYY HH:mm:ss.SSS format for the Russian localization and YYYY-MM-DD HH:mm:ss.SSS for the English localization or a period relative to the current time as a formula. You can also combine these methods if necessary. If you do not specify milliseconds when entering the exact date, 000 is substituted automatically. If you have edited the time in the Date from or Date to fields, picking a date in the calendar does not change the time component.
  
  In the relative period formulas, you can use the now parameter for the current date and time and the interval parameterization language: + (only in the Date to field), -, / (rounding to the nearest), as well as time units: y (year), M (month), w (week), d (day), h (hour), m (minute), s (second). For example, you can specify the period now-5d to get data for the last five days, or now/w to get data from the beginning of the first day of the current week (00:00:00:000 UTC) to the current time (now).
  
  The Date from field is required, and its value cannot exceed the value of the Date from field, and also cannot be earlier than 1970-01-01 (if specifying an exact date or a relative period). The Date to cannot be earlier than the Date from. If you do not specify a value in the Date from field, now is specified automatically.
KUMA stores time values in UTC, but in the user interface time is converted to the time zone of your browser. This is relevant to the relative periods: Today, Yesterday, This week, and This month. For example, if the time zone in your browser is UTC+3, and you select Today as the data display period, data will be displayed for the period from 03:00:00.000 until now, not from 00:00:00.000 until now.

If you want to take your time zone into account when selecting a relative data display period, such as Today, Yesterday, This week, or This month, you need to manually add a time offset in the Date from and Date to fields (if a value other than now is specified) by adding or subtracting the correct number of hours. For example, if your browser's time zone is UTC+3 and you want to display data for Yesterday, you need to change Date from to now-1d/d-3h and Date to to now/d-3h. If you want to display data for the Today period, you only need to change the value in the Date from field to now/d-3h.

If you need results up to 23:59:59:999 UTC of yesterday, you can use an SQL query with a filter by Timestamp or specify an exact date and time.

The bounds of the period are inclusive: for example, for the Today time range, events are displayed from the beginning (00:00:00:000 UTC) of the current day to the current time (now) inclusive, and for the Yesterday period, events are displayed from the beginning (00:00:00:000 UTC) of the previous day to 00:00:00:000 UTC of the current day. You can view the date and time of the last data update and the exact period for which the data is displayed by hovering over the period icon in the widget.

If the Show data for previous period setting is enabled for the widget, and the widget is displaying data for a relative period, the tooltip also displays the previous period. The previous period is calculated relative to the current period as start and end values of the current period minus the duration of the current period. For example, if data is updated daily and displayed for a month, but only the first 10 days of the month have passed, the previous period is taken to be the last 10 days of the previous month.
If you want the widget to display data for the period selected for the layout, click the Reset button. Changing the displayed period on the layout also changes the period displayed in the widget.

Page top

Displaying tenant names in "Active list" type widgets

If you want the names of tenants to be displayed in 'Active list' type widgets instead of tenant IDs, in correlation rules of the correlator, configure the function for populating the active list with information about the corresponding tenant.

The configuration process proceeds in stages:

Export the list of tenants.
Create a dictionary of the Table type.
Import the list of tenants obtained at step 1 into the dictionary created at step 2 of these instructions.
Add a local variable with the dict function for mapping the tenant name to tenant ID to the correlation rule.
Example:
- Variable: TenantName
- Value: dict ('<Name of the previously created dictionary with tenants>', TenantID)
Add a Set action to the correlation rule, which writes the value of the previously created variable to the active list in the <key>-<value> format. As the key, specify the field of the active list (for example, Tenant), and in the value field, specify the variable (for example, $TenantName).

When this rule triggers, the name of the tenant mapped by the dict function to the ID in the tenant dictionary is placed in the active list. When creating widgets based on active lists, the widget displays the name of the tenant instead of the tenant ID.

Page top

Contents

Analytics

Dashboard

Creating a dashboard layout

Selecting a dashboard layout

Selecting a dashboard layout as the default

Editing a dashboard layout

Deleting a dashboard layout

Enabling and disabling TV mode

Predefined dashboard layouts

Reports

Report template

Creating report template

Configuring report schedule

Editing report template

Copying report template

Deleting report template

Generated reports

Viewing reports

Generating reports

Saving reports

Deleting reports

Widgets

Basics of managing widgets

Special considerations for displaying data in widgets

Creating a widget

Editing a widget

Deleting a widget

Widget settings

"Events" widget

"Active lists" widget

"Context tables" widget

"Assets" customized widget

Other widgets

Displaying tenant names in "Active list" type widgets