FAQ: Adding columns to report tables
How can I add additional columns to report tables, e.g. to add a single report which reports source IP, destination IP, source port, and destination port?
Short Answer
Edit the report in the profile .cfg file to add a new item to the columns group.
Long Answer
Edit the profile .cfg file, which is in the profiles folder of the LogAnalysisInfo folder. Look for "reports = {" to find the reports list. Look down until you find a report which shows a table for one of the fields you want, e.g. in the source_ip/destination_ip/source_port/destination_port example, you would look for the destination_port report (the actual name of this report, and of field values, will vary depending on your log format). The report will look something like this:
destination_port = {
report_elements = {
destination_port = {
label = "$lang_stats.destination_port.label"
type = "table"
database_field_name = "destination_port"
sort_by = "events"
sort_direction = "descending"
show_omitted_items_row = "true"
omit_parenthesized_items = "true"
show_totals_row = "true"
starting_row = "1"
ending_row = "10"
only_bottom_level_items = "false"
show_graph = "false"
columns = {
0 = {
type = "string"
visible = "true"
field_name = "destination_port"
data_type = "string"
header_label = "%7B=capitalize(database.fields.destination_port.label)=}"
display_format_type = "string"
main_column = "true"
} # 0
1 = {
header_label = "%7B=capitalize(database.fields.events.label)=}"
type = "events"
show_number_column = "true"
show_percent_column = "false"
show_bar_column = "false"
visible = "true"
field_name = "events"
data_type = "int"
display_format_type = "integer"
} # 2
} # columns
} # destination_port
} # report_elements
label = "Destination report"
} # destination_port
There may be other columns, but the two shown here are a minimum -- one for the destination port field, and one for the "events" field (might be called "packets" or something else). This describes a report which has two columns: destination port and number of events.
To add a four-column source_ip/destination_ip/source_port/destination_port report, copy the entire thing and change the name to custom_report. Then duplicate the destination_port column three times, and edit the copies so they're source_ip, destination_ip, and source_port. The result:
custom_report = {
report_elements = {
custom_report = {
label = "Custom Report"
type = "table"
database_field_name = "destination_port"
sort_by = "events"
sort_direction = "descending"
show_omitted_items_row = "true"
omit_parenthesized_items = "true"
show_totals_row = "true"
starting_row = "1"
ending_row = "10"
only_bottom_level_items = "false"
show_graph = "false"
columns = {
source_ip = {
type = "string"
visible = "true"
field_name = "source_ip"
data_type = "string"
header_label = "%7B=capitalize(database.fields. source_ip.label)=}"
display_format_type = "string"
main_column = "true"
} # source_ip
destination_ip = {
type = "string"
visible = "true"
field_name = "destination_ip"
data_type = "string"
header_label = "%7B=capitalize(database.fields. destination_ip.label)=}"
display_format_type = "string"
main_column = "true"
} # destination_ip
source_port = {
type = "string"
visible = "true"
field_name = "source_port"
data_type = "string"
header_label = "%7B=capitalize(database.fields. source_port.label)=}"
display_format_type = "string"
main_column = "true"
} # source_port
destination_port = {
type = "string"
visible = "true"
field_name = "destination_port"
data_type = "string"
header_label = "%7B=capitalize(database.fields.destination_port.label)=}"
display_format_type = "string"
main_column = "true"
} # destination_port
1 = {
header_label = "%7B=capitalize(database.fields.events.label)=}"
type = "events"
show_number_column = "true"
show_percent_column = "false"
show_bar_column = "false"
visible = "true"
field_name = "events"
data_type = "int"
display_format_type = "integer"
} # 2
} # columns
} # custom_report
} # report_elements
label = "Custom report"
} # custom_report
Finally, add it to the reports_menu list (again, this is easiest to do by duplicating the existing reports_menu item for destination port), like this:
custom_report = {
type = "view"
label = "Custom Report"
view_name = "custom_report"
visible = "true"
visible_if_files = "true"
} # custom_report
And you should have a Custom Report item in your reports menu, which links to the multi-column report.
If you're creating a two-column report, you can get an indented layout with subtables (rather than a "spreadsheet" layout) by adding the following section to the report group (e.g. right above the "} # custom_report" line, above):
sub_table = {
ending_row = "10"
omit_parenthesized_items = "true"
show_omitted_items_row = "true"
show_averages_row = "false"
show_totals_row = "true"
} # sub_table
This sub_table node will work only for reports which have exactly two non-numerical columns (e.g. source_ip/destination_ip).