h and No it's not really documented well anywhere,like most of arcsight doc, but I did talk to Hector Aguilar about this issue so we willsee what happens.
I recently had the challenge of having to do an external mapping db lookup, but needed to use a join condition for my results. Not much attendtion has been paid to the more comlex queries that some times need to be don ein order for these thing to work. So I decided to share what I came up with so as to help anyone else out who has similar need.
First I mapped an event EVENTID to exteranlID and use that value in my query. There are many ways to do this I chose to do it through the console.
extmap.0.properties to include join condition.
jdbc.class=sun.jdbc.odbc.JdbcOdbcDriver - MSSQL I believe it will different for Oracle and other DBs.
jdbc.url=jdb:odbc:Arcsight_myodbc - This is the ODBC we created for a connector on the machineso I I used it and it works, documentation will state to create an ODBC string.
jdbc.password=myobfuscatedpw - This is the obfuscated pw created using the Arcsight utility.
Jdbc.query=select a.primarykey as primarykey, a.field1 as field1, b.field2 as field2 from table1 as a JOIN table2 as b on a.field1 = b.field3 \
Where a.primarykey in (?\u0000?)
b.field3 is the key on the second table needed to get b.field2.
field1 gets mapped to setter0
field2 gets mapped to setter1
KB should be written on these more complex queries in addition to the easy ones