How Trends Work

A trend references a query, specifies a schedule on which the query automatically triggers, and provides mechanisms for efficiently storing, viewing, and leveraging the trend results for reporting. The trend results are stored in a trend table in the ArcSight database and can therefore be queried.

You can set trends to run indefinitely or to end at a specified date and time. A trend can start retrieving historical data from logs, start with current events, or at some specified time in the future. You can also specify advanced options on how and when to build tables and store data.

After trend data is collected, you can view the results in the Data Viewer table and generate a trend report that displays the results in tables and graphs.

Depending on the data gathered by the base query, the trend is either snapshot trend or an interval trend.