ArcSight Pro Tip #4 - Variable Evaluate Velocity Template (If / Then / Else)

Today's Pro Tip is on a very powerful ESM Variable: Evaluate Velocity Template (EVT) which allows you to leverage the Velocity Template Language within a resource such as a Rule or Query.

Let us take a look at how to use the EVT variable to apply the classic programming logic (IF/Then/Else) to replace a blank device hostname with a device's IP address in a rule action.  Of course you can adapt this method to solve all kinds of problems and other EVT functions which we will cover in future Pro Tips.

First within your rule add the fields you would like to use in your EVT as aggregate fields.

aggregated.png

Next add a new EVT local variable (EVT is located in the String category).

checkhostnull.png

Now you get a simple Text Box to enter in your values:

#if ($deviceHostName != "")$deviceHostName #elseif ($deviceHostName == "")$deviceAddress#end

Make sure you enter it all on one line (EVT does not know how to evaluate newline characters).  Also make sure there is a white space after each function ie. #if<space>($blah)

checkhostnull-fix.png

Now use the rule Action "Set Event Field" to overwrite deviceHostname with the EVT variable "checkhostnull".

checknullhost3.png

And finally add $checkhostnull variable as an aggregated field.

aggregated2.png

That's all there is to it...

Hope this helps you develop some killer content!

Greg

@threatstream

http://www.threatstream.com


  • It's a shame that useful things like loops are broken (deliberately from what I can tell) in ESM's implementation of velocity.

  • An additional tip (maybe deserves its own post - hopefully this one will show up in relevant searches)...

    Refer to the log file /opt/arcsight/manager/logs/default/velocity.log to see any velocity parsing/evaluation errors.

    Also, keep in mind that Velocity math and boolean operators work only on integers. You'll get an error in the log if the object isn't an integer. This comes into play especially when you're trying to perform math on numbers that are in fields that normally contain strings. Use type conversion local variables to convert to Integer, and then refer to that local variable in the velocity expression.

    Additionally, there's a bug involving Active Lists. If you use a local/global variable to retrieve a Integer active list value, then attempt to use that value in a velocity expression, you'll get the "must be an Integer" exception, even though the active list entry was an Integer. To work around this, use local variables for type conversion to convert the value into a string, then back into an integer. You may then use the value in Velocity expressions.