How Values in Dashboard Columns are Derived
The values in Summary dashboard columns are either derived from system information (for example, the IP address for a device), or are metrics associated with events and their attributes. This topic uses the example of the CPU Util column in many summary dashboards to explain the relationship between event attributes and display columns, and how values in those columns are calculated.
- Log into you your Supervisor node.
- Go to Dashboard > Device View > All Devices.
- Click Select Columns.
You will see a list of all the columns used in this dashboard under Selected Columns. Under Selected Columns you’ll see CPU Util, and next to it, in parentheses, you will see three event types listed, whose attributes are used to create this calculation: PH_DEV_MON_SYS_C
PU_UTIL, PH_DEV_MON_EC2_METRIC, and PH_DEV_MON_CLARION_SP_UTIL. The metrics associated with these attributes are displayed in the CPU Util column, but how are metrics collected over time represented as a single value? To answer this question, you need to examine the column settings and Aggregation Method in the Device Support > Dashboard Columns page.
- Go to Admin > Device Support > Dashboard Columns.
- Find System CPU Utilization in the list of dashboard columns. CPU Util is part of the System CPU Utilization set of metric.
- Each dashboard column has the same set of attributes:
| Column
Attribute |
Description | Value for System CPU Utilization |
| Name | The metric collected | System CPU Utilization |
| Event Type | The type of event that provides the attributes for the metric | PH_DEV_MON_SYS_CPU_UTIL
PH_DEV_MON_EC2_METRIC PH_DEV_MON_CLARION_SP_UTIL |
| Column
Name |
The display name in the Summary dashboard for the metric | CPU Name
Storage Processor CPU Utilization Host IP Address Most events include a Host IP address, however there is no Column Name for this metric as FortiSIEM generates the column name Device IP in relation to the metric. |
| Column
Attribute |
The specific attribute used for each Column Name | Device IP (system generated name) – hostIpA ddr
CPU Name – cpuName Storage Processor – spName CPU Util – cpuUtil |
| Column
Type |
The type of information that will be displayed in the column for each attribute | Device IP (system generated name) – hostIpAd dr – Host
CPU Name – cpuName – Object Storage Processor – spName -Object CPU Util – cpuUtil – Reading |
| Aggregator | For readings, the mathematical aggregator that will be used to calculate the metric. Options are: AVG, SUM, MAX, MIN, LAST. Using a pipe | between two operators indicates that the first operation should be aggregated over time, and the second over the object. | CPU Util – cpuUtil – Reading – AVG|AVG |
With this information, you can see that CPU Util metric is derived from the cpuUtil attribute of the PH_DEV_MON_SYS_CPU_UTIL event, and that the display column is a reading that uses the calculation Average over time and then Average over the object being reported on. Now apply this to the event reports for a host with two CPUs, and you can see how the calculation works.
This output shows two samples of cpuUtil taken over three minutes for each CPU running on the host 192.168.0.40. According to the Aggre gator for this column, FortiSIEM should first average the samples over time for each CPU, and then average those together to derive the metric for the host. The average for the CPU 1 is 3.000000, and the average for CPU 2 is 30.000000. These values are combined and averaged again to get the overall metric for the host, which is 16.500000.
Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!