ReportMagic

[LogicMonitor.AuditEventAnalysis:]NEW

Adds an Audit Event Analysis tab to the XLSX output document.

Purpose

Adds an Audit Event Analysis tab to the XLSX output document, using data from the LogicMonitor audit logs (Settings => Audit Logs) and enhanced with additional data.

Macro Compatibility

The macro can be used in the highlighted input document types only. A greyed-out icon indicates not supported.

Usage

Does not work in Report Studio. The default columns output into the XLSX file are: 'ActionType', 'AlertId', 'AlertNote', 'ApiMethod', 'ApiPath', 'ApiTokenId', 'CollectorDescription', 'CollectorGroupId', 'CollectorGroupName', 'CollectorId', 'CollectorName', 'Command', 'DataSourceDeletedInstanceIds', 'DataSourceDeletedInstanceNames', 'DataSourceNewInstanceIds', 'DataSourceNewInstanceNames', 'DateTime', 'Description', 'EndDownTime', 'EntityType', 'Host', 'Id', 'InstanceId', 'InstanceName', 'LogicModuleId', 'LogicModuleVersion', 'MatchedRegExId', 'MonthlyMetrics', 'OriginalDescription', 'OriginatorType', 'OutcomeType', 'PerformedByUsername', 'PropertyName', 'PropertyValue', 'RemoteSessionId', 'RemoteSessionType', 'RequestId', 'ResourceDataSourceId', 'ResourceGroupId', 'ResourceGroupName', 'ResourceHostname', 'ResourceIds', 'ResourceNames', 'RestrictSso', 'SessionId', 'StartDownTime', 'Time', 'UserEmail', 'UserId', 'UserName', 'UserRole', 'WildValue' and 'Count'. This macro intentionally fails if the date range is greater than 3 months, for memory and performance reasons. Note that if the Log item's Description is more than 32,767 characters, it will be truncated to 32,767 characters, due to limitations in Excel. Otherwise when you open the file in Excel, it will complain that the file cannot be opened and attempt an automatic fix which itself truncates the file.

Parameter	Type	Deprecation Message	Preferred Parameter	Presence	Purpose	Options	Default
addChart	Boolean			Optional	Whether to add a chart to the Analytics worksheet.	true false	true
addTitle	Boolean			Optional	Whether to add a title to the Analytics worksheet.	true false	true
auto	Boolean			Optional	If 'true', the reporting period will be the last calendar month and neither startDate nor endDate parameters may be used.	true false	false
columnFields	List<String>	Deprecated	pivotTableColumnFields		The pivot table column fields. In Excel's PivotTable Fields UI, these correspond to the items in the 'Columns' section. You an use any of the heading names: 'ActionType', 'AlertId', 'AlertNote', 'ApiMethod', 'ApiPath', 'ApiTokenId', 'CollectorDescription', 'CollectorGroupId', 'CollectorGroupName', 'CollectorId', 'CollectorName', 'Command', 'DataSourceDeletedInstanceIds', 'DataSourceDeletedInstanceNames', 'DataSourceNewInstanceIds', 'DataSourceNewInstanceNames', 'DateTime', 'Description', 'EndDownTime', 'EntityType', 'Host', 'Id', 'InstanceId', 'InstanceName', 'LogicModuleId', 'LogicModuleVersion', 'MatchedRegExId', 'MonthlyMetrics', 'OriginalDescription', 'OriginatorType', 'OutcomeType', 'PerformedByUsername', 'PropertyName', 'PropertyValue', 'RemoteSessionId', 'RemoteSessionType', 'RequestId', 'ResourceDataSourceId', 'ResourceGroupId', 'ResourceGroupName', 'ResourceHostname', 'ResourceIds', 'ResourceNames', 'RestrictSso', 'SessionId', 'StartDownTime', 'Time', 'UserEmail', 'UserId', 'UserName', 'UserRole' and 'WildValue'.	N/A	N/A
columnGrandTotals	Boolean			Optional	Whether to add column grand totals to the pivot table.	true false	true
comment	String			Optional	Add a comment to make your document template more readable. The comment is discarded in the output document.	N/A	N/A
connectionName	String			Optional	The name of the Connection.	N/A	N/A
endDate	DateTimeOffset			Optional	The end date in the format YYYY-MM-DD.	N/A	Midnight on the first day of this month
errorOnOverflow	Boolean			Optional	Should NCalc expression evaluation throw error on Overflow	true false	true
failureText	String			Optional	The text to display should the macro fail to execute. Note that a poorly-specified macro (e.g. omitting mandatory parameters) will still result in an error message.	N/A	N/A
filterFields	List<String>	Deprecated	pivotTableFilterFields		The pivot table filter fields. In Excel's PivotTable Fields UI, these correspond to the items in the 'Filters' section. You an use any of the heading names: 'ActionType', 'AlertId', 'AlertNote', 'ApiMethod', 'ApiPath', 'ApiTokenId', 'CollectorDescription', 'CollectorGroupId', 'CollectorGroupName', 'CollectorId', 'CollectorName', 'Command', 'DataSourceDeletedInstanceIds', 'DataSourceDeletedInstanceNames', 'DataSourceNewInstanceIds', 'DataSourceNewInstanceNames', 'DateTime', 'Description', 'EndDownTime', 'EntityType', 'Host', 'Id', 'InstanceId', 'InstanceName', 'LogicModuleId', 'LogicModuleVersion', 'MatchedRegExId', 'MonthlyMetrics', 'OriginalDescription', 'OriginatorType', 'OutcomeType', 'PerformedByUsername', 'PropertyName', 'PropertyValue', 'RemoteSessionId', 'RemoteSessionType', 'RequestId', 'ResourceDataSourceId', 'ResourceGroupId', 'ResourceGroupName', 'ResourceHostname', 'ResourceIds', 'ResourceNames', 'RestrictSso', 'SessionId', 'StartDownTime', 'Time', 'UserEmail', 'UserId', 'UserName', 'UserRole' and 'WildValue'.	N/A	N/A
if	String			Optional	The condition that must be true in order for the macro to be executed/evaluated. Must either evaluate to true or false, for example: "3+5=8" or "contains('abcd', 'z').	N/A	true
maxAttempts	Int32			Optional	The maximum number of attempts when requesting data via the LogicMonitor API.	From 1 to 2147483647	N/A
mode	MacroMode			Optional	The mode in which variables are stored. In the legacy mode (default for Schedules), the variable created is a string and formatted. In the normal mode (default for Report Studio), the output variable is stored as a strongly-typed object, e.g. an Int32 or a List etc., rather than a formatted string.	Legacy Normal	Legacy
monthsToReport	Int32			Optional	If set, sets 'endDate' to the 'start' plus the specified number of months.	N/A	N/A
obfuscation	ObfuscationType			Optional	Obfuscation type. Use obfuscation to write reports where sensitive data is hidden. When used, ReportMagic guarantees that the same input string will map to the same output string for the whole of the report (but the next time the report runs, it will most likely map to a different value). If you use obfuscation, the property in your macro will not show up and instead, you will see a fake item of the obfuscation type chosen.	None UkTown DeviceName Company IpAddress PrivateIpAddress	None
pivotTableColumnFields	List<String>	Use instead of: columnFields		Optional	The pivot table column fields. In Excel's PivotTable Fields UI, these correspond to the items in the 'Columns' section. You an use any of the heading names: 'ActionType', 'AlertId', 'AlertNote', 'ApiMethod', 'ApiPath', 'ApiTokenId', 'CollectorDescription', 'CollectorGroupId', 'CollectorGroupName', 'CollectorId', 'CollectorName', 'Command', 'DataSourceDeletedInstanceIds', 'DataSourceDeletedInstanceNames', 'DataSourceNewInstanceIds', 'DataSourceNewInstanceNames', 'DateTime', 'Description', 'EndDownTime', 'EntityType', 'Host', 'Id', 'InstanceId', 'InstanceName', 'LogicModuleId', 'LogicModuleVersion', 'MatchedRegExId', 'MonthlyMetrics', 'OriginalDescription', 'OriginatorType', 'OutcomeType', 'PerformedByUsername', 'PropertyName', 'PropertyValue', 'RemoteSessionId', 'RemoteSessionType', 'RequestId', 'ResourceDataSourceId', 'ResourceGroupId', 'ResourceGroupName', 'ResourceHostname', 'ResourceIds', 'ResourceNames', 'RestrictSso', 'SessionId', 'StartDownTime', 'Time', 'UserEmail', 'UserId', 'UserName', 'UserRole' and 'WildValue'.	N/A	N/A
pivotTableFilterFields	List<String>	Use instead of: filterFields		Optional	The pivot table filter fields. In Excel's PivotTable Fields UI, these correspond to the items in the 'Filters' section. You an use any of the heading names: 'ActionType', 'AlertId', 'AlertNote', 'ApiMethod', 'ApiPath', 'ApiTokenId', 'CollectorDescription', 'CollectorGroupId', 'CollectorGroupName', 'CollectorId', 'CollectorName', 'Command', 'DataSourceDeletedInstanceIds', 'DataSourceDeletedInstanceNames', 'DataSourceNewInstanceIds', 'DataSourceNewInstanceNames', 'DateTime', 'Description', 'EndDownTime', 'EntityType', 'Host', 'Id', 'InstanceId', 'InstanceName', 'LogicModuleId', 'LogicModuleVersion', 'MatchedRegExId', 'MonthlyMetrics', 'OriginalDescription', 'OriginatorType', 'OutcomeType', 'PerformedByUsername', 'PropertyName', 'PropertyValue', 'RemoteSessionId', 'RemoteSessionType', 'RequestId', 'ResourceDataSourceId', 'ResourceGroupId', 'ResourceGroupName', 'ResourceHostname', 'ResourceIds', 'ResourceNames', 'RestrictSso', 'SessionId', 'StartDownTime', 'Time', 'UserEmail', 'UserId', 'UserName', 'UserRole' and 'WildValue'.	N/A	N/A
pivotTableRowFields	List<String>	Use instead of: rowFields		Optional	The pivot table row fields. In Excel's PivotTable Fields UI, these correspond to the items in the 'Rows' section. You an use any of the heading names: 'ActionType', 'AlertId', 'AlertNote', 'ApiMethod', 'ApiPath', 'ApiTokenId', 'CollectorDescription', 'CollectorGroupId', 'CollectorGroupName', 'CollectorId', 'CollectorName', 'Command', 'DataSourceDeletedInstanceIds', 'DataSourceDeletedInstanceNames', 'DataSourceNewInstanceIds', 'DataSourceNewInstanceNames', 'DateTime', 'Description', 'EndDownTime', 'EntityType', 'Host', 'Id', 'InstanceId', 'InstanceName', 'LogicModuleId', 'LogicModuleVersion', 'MatchedRegExId', 'MonthlyMetrics', 'OriginalDescription', 'OriginatorType', 'OutcomeType', 'PerformedByUsername', 'PropertyName', 'PropertyValue', 'RemoteSessionId', 'RemoteSessionType', 'RequestId', 'ResourceDataSourceId', 'ResourceGroupId', 'ResourceGroupName', 'ResourceHostname', 'ResourceIds', 'ResourceNames', 'RestrictSso', 'SessionId', 'StartDownTime', 'Time', 'UserEmail', 'UserId', 'UserName', 'UserRole' and 'WildValue'.	N/A	N/A
pivotTableValueFields	List<String>	Use instead of: valueFields		Optional	The pivot table value fields. In Excel's PivotTable Fields UI, these correspond to the items in the 'Values' section. For each column name, you can specify the aggregation to use via the ^ character e.g. column1^Sum. Omit this to use the default Count aggregation. Valid aggregation values are: 'Average', 'Count', 'CountNumbers', 'Max', 'Min', 'Product', 'StdDev', 'StdDevP', 'Sum', 'Var' or 'VarP'. For each column name, if and only if you have specified an aggregation, you can also specify the number format to use in the pivot table and chart. To do this, use an additional caret separator and specify the number format. For example: column1^Sum^0.00 would use 2 decimal places for the format. You an use any of the heading names: 'ActionType', 'AlertId', 'AlertNote', 'ApiMethod', 'ApiPath', 'ApiTokenId', 'CollectorDescription', 'CollectorGroupId', 'CollectorGroupName', 'CollectorId', 'CollectorName', 'Command', 'DataSourceDeletedInstanceIds', 'DataSourceDeletedInstanceNames', 'DataSourceNewInstanceIds', 'DataSourceNewInstanceNames', 'DateTime', 'Description', 'EndDownTime', 'EntityType', 'Host', 'Id', 'InstanceId', 'InstanceName', 'LogicModuleId', 'LogicModuleVersion', 'MatchedRegExId', 'MonthlyMetrics', 'OriginalDescription', 'OriginatorType', 'OutcomeType', 'PerformedByUsername', 'PropertyName', 'PropertyValue', 'RemoteSessionId', 'RemoteSessionType', 'RequestId', 'ResourceDataSourceId', 'ResourceGroupId', 'ResourceGroupName', 'ResourceHostname', 'ResourceIds', 'ResourceNames', 'RestrictSso', 'SessionId', 'StartDownTime', 'Time', 'UserEmail', 'UserId', 'UserName', 'UserRole' and 'WildValue'.	N/A	N/A
rowFields	List<String>	Deprecated	pivotTableRowFields		The pivot table row fields. In Excel's PivotTable Fields UI, these correspond to the items in the 'Rows' section. You an use any of the heading names: 'ActionType', 'AlertId', 'AlertNote', 'ApiMethod', 'ApiPath', 'ApiTokenId', 'CollectorDescription', 'CollectorGroupId', 'CollectorGroupName', 'CollectorId', 'CollectorName', 'Command', 'DataSourceDeletedInstanceIds', 'DataSourceDeletedInstanceNames', 'DataSourceNewInstanceIds', 'DataSourceNewInstanceNames', 'DateTime', 'Description', 'EndDownTime', 'EntityType', 'Host', 'Id', 'InstanceId', 'InstanceName', 'LogicModuleId', 'LogicModuleVersion', 'MatchedRegExId', 'MonthlyMetrics', 'OriginalDescription', 'OriginatorType', 'OutcomeType', 'PerformedByUsername', 'PropertyName', 'PropertyValue', 'RemoteSessionId', 'RemoteSessionType', 'RequestId', 'ResourceDataSourceId', 'ResourceGroupId', 'ResourceGroupName', 'ResourceHostname', 'ResourceIds', 'ResourceNames', 'RestrictSso', 'SessionId', 'StartDownTime', 'Time', 'UserEmail', 'UserId', 'UserName', 'UserRole' and 'WildValue'.	N/A	N/A
rowGrandTotals	Boolean			Optional	Whether to add row grand totals to the pivot table.	true false	false
startDate	DateTimeOffset			Optional	The start date in the format YYYY-MM-DD.	N/A	Midnight on the first day of last month
valueFields	List<String>	Deprecated	pivotTableValueFields		The pivot table value fields. In Excel's PivotTable Fields UI, these correspond to the items in the 'Values' section. For each column name, you can specify the aggregation to use via the ^ character e.g. column1^Sum. Omit this to use the default Count aggregation. Valid aggregation values are: 'Average', 'Count', 'CountNumbers', 'Max', 'Min', 'Product', 'StdDev', 'StdDevP', 'Sum', 'Var' or 'VarP'. For each column name, if and only if you have specified an aggregation, you can also specify the number format to use in the pivot table and chart. To do this, use an additional caret separator and specify the number format. For example: column1^Sum^0.00 would use 2 decimal places for the format. You an use any of the heading names: 'ActionType', 'AlertId', 'AlertNote', 'ApiMethod', 'ApiPath', 'ApiTokenId', 'CollectorDescription', 'CollectorGroupId', 'CollectorGroupName', 'CollectorId', 'CollectorName', 'Command', 'DataSourceDeletedInstanceIds', 'DataSourceDeletedInstanceNames', 'DataSourceNewInstanceIds', 'DataSourceNewInstanceNames', 'DateTime', 'Description', 'EndDownTime', 'EntityType', 'Host', 'Id', 'InstanceId', 'InstanceName', 'LogicModuleId', 'LogicModuleVersion', 'MatchedRegExId', 'MonthlyMetrics', 'OriginalDescription', 'OriginatorType', 'OutcomeType', 'PerformedByUsername', 'PropertyName', 'PropertyValue', 'RemoteSessionId', 'RemoteSessionType', 'RequestId', 'ResourceDataSourceId', 'ResourceGroupId', 'ResourceGroupName', 'ResourceHostname', 'ResourceIds', 'ResourceNames', 'RestrictSso', 'SessionId', 'StartDownTime', 'Time', 'UserEmail', 'UserId', 'UserName', 'UserRole' and 'WildValue'.	N/A	N/A
waitDuringUpgrades	Boolean			Optional	Whether to wait during LogicMonitor upgrades (i.e. execution essentially pauses).	true false	N/A
warning	String			Optional	If specified, adds a warning message for this macro. This is processed as an NCalc, and the warning message will ALWAYS be present and will be the value of the evaluated NCalc expression.	N/A	N/A
where	String			Optional	An optional NCalc expression such as: contains(jPath(item, 'UserName'), 'monitoring'). The 'item' token inside this jPath function is mandatory and represents a log item, and finds the value of 'UserName' on it. You can use any of these properties in the expression (they are the same as XLSX output headings and always WITHOUT spaces): 'ActionType', 'AlertId', 'AlertNote', 'ApiMethod', 'ApiPath', 'ApiTokenId', 'CollectorDescription', 'CollectorGroupId', 'CollectorGroupName', 'CollectorId', 'CollectorName', 'Command', 'DataSourceDeletedInstanceIds', 'DataSourceDeletedInstanceNames', 'DataSourceNewInstanceIds', 'DataSourceNewInstanceNames', 'DateTime', 'Description', 'EndDownTime', 'EntityType', 'Host', 'Id', 'InstanceId', 'InstanceName', 'LogicModuleId', 'LogicModuleVersion', 'MatchedRegExId', 'MonthlyMetrics', 'OriginalDescription', 'OriginatorType', 'OutcomeType', 'PerformedByUsername', 'PropertyName', 'PropertyValue', 'RemoteSessionId', 'RemoteSessionType', 'RequestId', 'ResourceDataSourceId', 'ResourceGroupId', 'ResourceGroupName', 'ResourceHostname', 'ResourceIds', 'ResourceNames', 'RestrictSso', 'SessionId', 'StartDownTime', 'Time', 'UserEmail', 'UserId', 'UserName', 'UserRole', 'WildValue' and 'Count'. For more details about NCalc and expression examples, refer to the [Calculate:] macro.	N/A	N/A
worksheetName	String			Optional	The name to use for the analytics worksheet (which will contain the pivot table and chart). The data worksheet (which will contain the 'fact table') uses this name plus the suffix ' Data'. If a worksheet by this name already exists, the new name will have a number appended, e.g. Analytics1, Analytics2, etc. Excel does not allow blank names, names above 31 characters, and the following characters: :, /, \, ?, *, [, ].	N/A	Audit Event Analytics

Examples (3)

Example 1:

This example customises the date (to fetch just one day's worth of data), and also configures the pivot table with various items:

[LogicMonitor.AuditEventAnalysis: startDate=2025-01-01 00:00:00, endDate=2025-01-02 00:00:00, pivotTableColumnFields=Description;ActionType, pivotTableFilterFields=AlertId;CollectorName, pivotTableRowFields=DateTime, pivotTableValueFields=CollectorId]

Example 2:

This example shows how to use the 'where' parameter to include only logs where the PerformedByUsername contains the text 'monitoring'. The 'isNullOrEmpty' check ensures any items where the PerformedByUsername value is empty or null do not cause a failure. Note the use of back-ticks around the where expression, as it contains single quotes which can interfere with macro parsing:

[LogicMonitor.AuditEventAnalysis: startDate=2025-02-01 00:00:00, endDate=2025-02-02 00:00:00, where=`!isNullOrEmpty(jPath(item, 'PerformedByUsername')) && contains(jPath(item, 'PerformedByUsername'), 'monitoring')`]

Example 3:

This example shows how to use the 'where' parameter to include only audit events where the API method is 'GET'. Note the use of back-ticks around the where expression, as it contains single quotes which can interfere with macro parsing:

[LogicMonitor.AuditEventAnalysis: startDate=2025-02-01 00:00:00, endDate=2025-02-10 00:00:00, where=`jPath(item, 'ApiMethod') == 'GET'`]