Reports

The Reports views of the Scrutinizer web interface are used to create, run/view, and manage reports. Advanced features, such as defining custom report thresholds, setting up scheduled email reports, and creating forecasts (requires Plixer One Enterprise), can also be accessed from these views.

This section comprises detailed guides for leveraging the various functions related to reports in Scrutinizer.

Creating reports

Reports are fully configurable network data aggregations that enable customized transparency for any asset or activity on the network.

When a report is run, traffic data matching the specified filters (time window, sources/devices, etc.) is collated based on the selected report type. The results are then displayed in the output view.

Creating/running a new report

To create/run a new report, navigate to the Reports > Run Report page and follow these steps:

1. Select between the two options to start creating a report:

   • Select Devices: Select one or more devices to use as data sources for the report before specifying the report type.

   • Select Report Type: Select a report type to define the data aggregation criteria before specifying data sources.

2. After the devices and report type have been selected, configure the following settings/filters for the report:

   • Time Window: Select a Last X time window or specify a custom range to be covered by the report (default: last 24 hours).

   • Display Type: Select the graph or chart for result visualization in the output view.

   • Additional Filters: Define any additional filters to be applied to the report.

3. Click Run Report.

A progress bar is shown as the report is being run, after which the report results/output view will be displayed.

Note

• Settings and filters can be modified after a report is initially run to refine the results for further investigation.

• Only report types and categories supported by available devices will be displayed when selecting a report type. The Recommended, Recent (last 16 report types run), and Designed Reports categories can also be used to quickly find frequently used report types.

• When a last X time window is selected, clicking the up or down arrow will automatically shift the date/time period covered forward or backward.

Saving reports

After a report is created and run, the configuration can be saved by clicking the save (disk) button in the output view. See this page for further details on saving and managing reports.

Running reports via URL

A Host to Host pair report can be run against all available devices with a filter for a specified IP address (FILTER_IP) using the following URL format:

https://SCRUTINIZER_ADDRESS/ui/reports/run-report/search/el/FILTER_IP

Scrutinizer will also accept a FILTER_IP in hex format but only if the IP address belongs to an exporter.

Custom reports

To learn more about creating custom reports, see the Report Designer topic in the Classic UI section of this documentation.

Report output

The output of a report will mainly consist of two classes of data: the grouping criteria/entities(sources/destinations, IP groups, users, etc.) and their aggregated activity data.

After a report completes running, the results are displayed in both graph and table formats in the output view, where the reports original settings can continuously be refined to create the visibility required for the current task.

Graph details and functions

Each report type supports multiple interactive graph options to visualize the data for the top ten grouping entities based on their activity. An Others entity, which combines the aggregated activity data for all entities outside the top ten, is also included.

The Graph dropdown allows the user to quickly switch between the available visualizations directly from the output view. Additional details for any entity or activity can be viewed by hovering over the corresponding graph element.

Table/list details

The output view table functions as both a summary of the report results and a legend for the graph. The columns to the left (without the sorting arrows) list report type’s grouping entities, while the right-hand columns are used for the aggregated activity details. Traffic values can be displayed as average rates or totals (for the entire time range) by selecting the corresponding global setting in the Options tray.

Clicking on an entity in any grouping criteria column (e.g., source, application, or destination in a Conversations App report) opens a tray from where any supported report type can be run.

Hint

• Timeline graphs (line, step, stacked bar, etc.) can be used to apply a new time range to the current report. To do this, click on the graph once, and then click and drag to highlight the new range to use.

• To hide the graph for the current report, click the Hide button in the header.

• Individual cells in the grouping criteria columns of the table can be dragged to the left into inclusion and exclusion dropzones to configure additional filters for the current report (click the Apply button in the tray when done).

Filters tray

Clicking the Report Filters button in the output view opens a tray where the filters for the current report can be redefined.

To add a new filter, do the following:

1. Click the Filters button to open the tray.

2. In the tray, click the + button.

3. Select filter type for the new filter.

4. Configure the required details for the filter (varies by filter type).

5. Click the Add button.

6. In the primary tray, click the Apply button to re-run the report with the new filter(s) applied.

Existing filters can be modified by clicking the edit (pencil) button or removed by clicking the delete (trash bin) button.

For a full list of supported report filters, see this page.

Flow Hopper view

The results table of Connections by Bytes pair reports includes the option to switch to the Flow Hopper view, which can be used to retrace the path taken by a flow traversing the network. The path shown in this view will remain accurate even if topology has changed since the time of the flow.

Note

Flow Hopper requires all devices in the flow path to be exporting NetFlow v5 or higher to the collector. Next-hop routing information and read-only SNMPv2 or v3 access to the router is also required.

If an asymmetric flow path is observed (i.e., a different return route), the connection will be drawn out accordingly. Hovering over each router or layer 3 switch in the view will display all details included in the flow template. Changes in element values (e.g., DSCP, TTL, octets, etc.) between ingress and egress metered flows are highlighted as well.

Additional options

Clicking the Options button in the header opens a tray containing the following option submenus:

Global	Data: Toggle between rates or totals in report results. Data Source: Specify an aggregation/roll-up table to use for reports. Data Units: Toggle between bits or bytes in report results. Interfaces: Enable/disable grouping report results by interface. Data Mode: Toggle between summary and forensic flow data to run reports. Show Others: Enable/disable including the Others grouping entity in report results. Show Host Names: Toggle between host IP addresses and hostnames in report results. Rows: Select the number of grouping categories to include in report results.
Table	Peak: Show/hide additional column for peak activity details. 95th: Show/hide additional column for 95th percentile activity details. Values: Toggle between formatted/rounded and raw calculated activity data in the report table.
Threshold	Configure a custom threshold for the current report.
Details	Collectors: View expanded details for the collectors associated with the data sources of the current report. Exporters: View expanded details for the exporters/data sources used for the current report. Report JSON: View the report JSON (for reporting API calls)

Note

• Toggle on Display Advanced Options in the tray to access the Data Mode and Values settings.

• If the Rows setting is increased beyond 10, additional grouping criteria/entities will be displayed in gray in the graph.

• Use the Copy to clipboard button to quickly copy the report JSON to your clipboard.

Refining report results

After a report is run, the output view can be used to further investigate any entity or activity included in the report results.

Sample use cases and workflows for reports can be found in this section of this documentation.

Switching between graphs

After a report has been run, the Graph dropdown allows the user to freely switch between the different graph and chart types supported by the report type.

This allows teams to highlight different aspects of a report’s results as needed for their resolution or investigation.

Modifying the time range

The current report can be re-run to cover a different time range of flow data, allowing teams to inspect activity for the same grouping criteria at different points in time.

The period of time covered by the current report configuration can be adjusted via the time range selector in the main output view or by highlighting (click and drag) an area in any timeline graph.

Editing filters

Once a report completes running, its initial filter configuration can be modified to highlight activity for specific grouping entities.

In the main output view, click the Filters button to add, modify, and/or remove filters. Additional filters can also be defined by dragging entities from the table’s grouping criteria columns into the corresponding dropzones on the left side of the page. After the new filter configuration has been set up, click the Apply button in the tray to re-run the report.

Pivoting to other report types

The Report Type dropdown in the main output view can be used to run a different report type using the current data sources, filters, and other settings. This function can be used when additional context is required to further investigate a host or activity on the network.

Additionally, a different report type can be filtered for a specific entity in any of the table’s grouping criteria columns. This is done by clicking on the entity and selecting the report to run in the Available Reports tray.

Report filters

Reports can be run using any combination of filters, including data sources (devices) and the time window covered.

The following table lists all additional filters that can be applied either before a report is first run or from the output view:

Type	Description	Parameter(s)	Option(s)
Applications	Filters results for a selected NBAR application	NBAR application	Restriction
Applications defined	Filters results for a selected defined application (based on definitions under Admin > Definitions > Applications)	Defined application	Restriction
Autonomous system by tag	Filters results for the selected autonomous system (AS) tags	Autonomous system (by AS number)	Direction, restriction
Business hours	Filters results for activity during specified business hours	Start hour, end hour, time zone, days	N/A
Calculated column filter	Filters results based on values in one of the report’s calculated columns	Filter column, comparison operator and value	N/A
Country	Filters results for the selected country	Country	Direction, restriction
Device/interface	Filters results for activity associated with the specified devices, interfaces, or mapping groups	Device Interface (if a device is selected) Mapping group (if Group is selected)	N/A
Domain	Filters results for the specified domain	Domain	Direction, restriction
Flow template	Filters results for the selected template	Flow template	Restriction
Host list	Filters results for the specified hosts	Host IP address(es)	Direction, restriction
Host to host	Filters results for activity between the specified host pair	Host pair IP addresses	Restriction
IP Groups	Filters results for the selected IP group (defined under Admin > Definitions > IP Groups)	IP group name	Direction, restriction
IP host	Filters results for the specified host IP address	Host IP address	Direction, restriction
IP range	Filters results for the specified range of IP addresses	Starting and ending IP addresses	Direction, restriction
IP subnet	Filters results for the specified subnet	Subnet address and mask	Direction, restriction
Internal host	Filters results for activity associated with internal hosts	N/A	Direction, restriction
Port speed	Filters results for the specified inbound and outbound port speeds	Inbound and outbound port speeds	N/A
Protocol	Filters results for communications using the selected protocol	Protocol	Restriction
Sample multiplier	Used to correct the report’s results for devices that use flow sampling	Multiplier value	N/A
Source/destination port	Filters results for the specified source or destination port(s)	Port number or range	Direction, restriction
Subnet to subnet	Filters results for activity between the specified subnet pair	Subnet pair addresses and masks	Restriction
TCP flags	Filters results for traffic with the selected TCP flag	TCP flag	Restriction
Type of Service	Filters results for traffic with the selected ToS	Type of service	Restriction
Well-known port	Filters results for the selected well-known port	Well-known port	Restriction
Wildcard mask	Filters results for the specified network and wildcard mask	Network address and mask	Direction, restriction

• Direction options: Source, destination, or both

• Restriction options: Include or exclude

Important

The additional filters that can be added to a report vary based on the selected devices/interfaces and report type. More filters may also become available when Scrutinizer has access to devices from certain vendors or is configured with additional integrations.

TCP flag filters

In the Report Type dropdown, you can run a TCP Flags report to retrieve information about the TCP flags set in TCP packets observed during a network analysis or packet capture.

To run the report, do the following:

1. Navigate to the Reports > Run Report page.

2. Select one of the two starting points to create a report.

Note

For more information, refer to the Creating/running reports section.

3. In the Report Type dropdown menu, select Designed Reports, and then select TCP Flags.

4. Configure the following settings:

   • Time Window

   • Display Type

5. In the Additional Filters field, select Advanced Filters.

6. In the Select Element field, select tcpcontrolbits.

7. Select Equal in the Select Comparison field, type in SYN, and then click Add.

8. Click Run Report.

Note

Setting this filter generates a TCP Flag report using the SYN (Synchronize) flag in TCP packets observed during a network analysis or packet capture.

Saved reports

After a report has been created and run, it can be saved and re-run at any time from the Reports > Saved Reports subtab. This page also functions as the management view for saved reports.

Saved reports can be re-run with either the same original configuration or modified settings. They can also be used to set up custom thresholds to trigger alarms and scheduled email reports.

Hint

Access to specific reports and/or report folders can be defined as part of user group permissions from the Admin > Users & Groups > User Groups page.

Saved report list

To re-run a saved report, click on the report name in the main view of the Saved Reports subtab. Filters, including report folders, can be applied to the list, and it can be displayed in a tabular list or as individual tiles.

Both viewing modes indicate whether the following functions have been enabled or configured for each saved report:

• Custom threshold

• Dashboard gadget

• Scheduled email

• Added to dashboard(s) as a gadget (count)

In addition, the list mode table also indicates the report type, the last-run timestamp, and the creator of each report.

Deleting saved reports

To delete one or more saved reports, select the report(s) using the checkboxes and select Delete in the bulk actions tray.

Report folders

After a report has been saved, it can be assigned to one or more user-created folders.

Report folders can be used to organize/filter reports in the Saved Reports view. They can also be used to simplify report access management through user group permissions.

Creating report folders

New folders can be created from the Saved Reports view as follows:

1. Click the report folders button.

2. In the Report Folders tray, click the add (+) button.

3. Enter a name for the new report folder in the secondary tray.

4. Click the Save button.

Once created, the report folder will be added to the list in the Report Folders tray.

Note

Existing report folders cannot be renamed. However, a new folder with the desired name can be created and populated with the same saved reports.

Adding saved reports to folders

There are three ways to assign saved reports to folders:

• When entering a name to save a report, use the dropdown to select a folder to assign it to (Unfoldered saves the report without adding it to any folders).

• In the Report Folders tray, click the edit (pencil) icon to make changes to the membership list of the selected folder.

• From the main Saved Reports view, select one or more saved reports using the checkboxes, and then use the Move to folder option in the Bulk Actions menu/tray.

Folder management

By default, the main Saved Reports view lists all saved reports accessible by the current user. To view only reports assigned to a specific folder instead, open the Report Folders tray and select the folder using the link icon.

The following functions can also be accessed via the folder list:

• Edit folder membership (edit/pencil icon)

• Delete folder (delete/bin icon)

Exporting reports

After a report is run, the results can be exported in PDF or CSV format from the Export (share button) tray in the output view.

Hint

PDF and or CSV copies of a report can also be attached to email reports.

Email reports

Once an email server has been configured, reports can be forwarded to any email address to provide external access to network data.

Email reports include a link to view the report in the Scrutinizer web interface. PDF and/or CSV copies of the report may also be attached.

On-demand reports

After any report is run, the results can be sent to one or more specified email addresses.

To send an email report, select Email Report in the export options tray (share button), and then enter the following details:

• Sender email address

• Recipient email address(es)

• Subject (optional)

• Message (optional)

Tick the appropriate checkbox(es) to attach PDF and/or CSV copies of the report results, if desired, and then click Send. A message confirming that the email report has been sent will be displayed.

Scheduled reports

Saved reports can be scheduled to run at specified intervals and sent to one or more recipients, enabling continuous network monitoring from any email inbox.

Hint

Configure a last X time range/window for a report to send/receive regular updates for any type of network metadata.

Creating a scheduled report

To set up a scheduled email report for a report:

1. Create, run, and save the report.

   Note

   Scheduled reports filtered on a specific date/time range will send either the same or no output when they are re-run.

2. In the output/results view, click the share button to open the export options tray.

3. Select Schedule Report.

4. In the secondary tray, enter/configure the following details:

   • A name for the scheduled report (used in the email subject line and for scheduled report management)

   • Recipient email address(es)

   • Frequency and exact minute on the hour that the email report should be re-run and sent

5. [Optional] Tick the appropriate checkbox(es) to attach PDF and/or CSV copies of the report results.

6. [Optional] Select additional reports to include in the scheduled email.

7. Click the Save button to save the scheduled email report configuration.

Once set up, a scheduled report will continue to be re-run and emailed at the scheduled intervals until it is disabled or deleted.

Note

New scheduled report configurations can be created from the management view, without having to run the saved report(s) beforehand. This can facilitate setting up multiple email configurations for reports that have been previously run/saved.

To create a new scheduled report from the management view, click the add (+) button and follow the steps above, starting from step 4.

Configurations can also be modified at any time by clicking the saved report name/subject to open the settings tray.

Scheduled report management

The Reports > Scheduled Reports subtab is the management view for scheduled report configurations. Scheduled reports can be created, reconfigured, and deleted from this page.

The table/list shows all current scheduled email reports and includes the following information for each configuration:

• Name/email subject

• Schedule details (frequency, time, day or date)

• Expected execution/run time

• Timestamp of the last run/email

• Configured recipient email addresses

One or more filters can also be applied to show only scheduled reports that match the defined criteria.

Deleting scheduled reports

To delete one or more scheduled reports that are no longer needed, use the checkboxes in the main view to select them, and then select Delete from the bulk actions tray.

Scheduled reports can also be temporarily disabled by ticking the Disable checkbox.

Report functions

Reports can be used to further enhance network monitoring and investigative workflows through the functions described below.

Report thresholds

Report thresholds allow you to monitor key metrics from saved reports and receive alarms when specific conditions are met. This feature helps you proactively detect unusual or critical traffic patterns without constantly checking the reports manually.

When you add a threshold to a saved report, the system automatically evaluates that report every 5 minutes, checking the last 5 minutes of data, regardless of the original timeframe set when the report was saved. This ensures thresholds always reflect the most recent network activity.

Note

Having a large number of active Report Threshold Violation alarms–particularly total reports (as opposed to rate)–may result in performance issues. The total number of concurrent report processes that can be run at a time for threshold checks can also be adjusted under Admin > Settings > Reporting.

Adding a threshold

1. Run and save a report, click the gear button to open the options tray, and then select Threshold.

2. In the Threshold settings tray, select whether the threshold should be applied per row or to the total of the calculated column.

3. Select the appropriate comparison operator (>= or <=) for the desired criteria.

4. Enter the numeric threshold value and choose the unit prefix (kilo-, mega-, or giga-).

5. From the dropdown menu, select the notification profile to trigger when the threshold exceeds or falls below the specified limits.

6. Click Save. Scrutinizer will now evaluate this threshold every 5 minutes for the latest 5 minutes of data.

Modifying or deleting a threshold

1. Re-run the saved report, and then click the Filters button in the output view.

2. In the Filters tray, locate the report threshold.

3. Click the pencil icon to modify the threshold or click the delete (X) icon to delete it.

Threshold evaluation

• Per-Row: Threshold checks are applied per row of the saved report. For example, if the report is saved with Top 50 results, the system can evaluate up to 50 rows. If a threshold condition is met on each row, up to 50 notifications could be generated.

• Total: Scrutinizer sums the values in your sorted column across all rows and compares the aggregate against the set threshold.

• Sorting Column: The threshold always applies to the column that the report is sorting or trending on. This ensures consistency between what you see in the report and what the threshold monitors.

• Directional Reports:

  • Bidirectional Reports: Threshold checks apply only to inbound values, even though the report shows both directions.

  • Outbound-Only Reports: If the report is saved as outbound, threshold evaluations target outbound values exclusively.

Threshold violations and notifications

When a threshold is violated, a Saved Report Threshold Alarm is generated under the Report Threshold Violation policy in Alarm Monitor. One or more notification profiles (email, SNMP, syslog, etc.) can be assigned to the alarm. For example, if the notification profile type is email, the full report will be emailed to you at the time of the violation. For more information, see the Notification profiles section.

Report gadgets

Reports can be added to dashboards as gadgets, enabling continuous active monitoring of any specified network traffic/activity.

To create/configure a dashboard gadget for a report, follow these steps:

1. Run the report (new or saved).

2. In the output/results view, open the export options tray and select Add to Dashboard (or Edit Gadget, if the gadget was previously configured).

3. Enter a name for the gadget. If the report has not been saved, it will be saved under the name entered.

4. Select a dashboard to add the gadget to from the Dashboard Tab dropdown. Select Don’t send to dashboard to manually add the report gadget to dashboards at a later time.

5. In the Type dropdown, select whether the gadget should show the report graph only, the table only, or both.

6. [Graph or Graph & Table] Select the gadget graph type and the report column to sort by.

7. [Table or Graph & Table] Use the checkboxes to select the columns to display in the gadget table.

8. [Optional] Expand the Display Options section of the tray to modify the default layout and behavior of the gadget.

9. Click the Save button to save the gadget configuration.

After a report gadget has been configured/saved, it will be included in the list of available gadgets when creating or editing a dashboard.

Note

• To view a report in a dashboard, the current user must be granted access to both the report and the dashboard(s) through their user group.

• If the default gadget name for a saved report is changed, a new saved report will automatically be created under that name. If the gadget is renamed multiple times, the saved reports are still created, but only the most recent name change is applied to the gadget.

Adding reports to collections

A collection can include one or more reports (in addition to alarms, events, and/or hosts) for review by the assignee(s).

To add a report to the current active collection:

1. Run the report.

2. In the results/output view, click the star button to open the collections menu.

3. Click the button a second time (after it turns into a + button).

If the report was previously added to the active collection, clicking a second time (- button) will remove it. To add the report to a different collection, select Manage Collections and then set that collection as active, before following the same steps. Reports can be included in multiple collections.

Reports in collections can be re-run directly from the collection summary page.

Creating forecasts

As part of the Plixer One Enterprise platform, Scrutinizer can further leverage the data aggregated by a report to generate a forecast of future traffic/activity.

A forecast can be generated after running any report by clicking the Save Forecast button. It can then be viewed via the main Investigate > Forecasts page.

To learn more about creating, viewing, and managing forecasts, see this section of this documentation.

To create a new forecast, click the Save Forecast button in the report output/results view.