I recently had the challenge of having to do an external mapping db  lookup, but needed to use a join condition for my results.  Not much  attendtion has been paid to the more comlex queries that some times need  to be don ein order for these thing to work.  So I decided to share  what I came up with so as to help anyone else out who has similar need.

First  I mapped an event EVENTID to exteranlID and use that value in my  query.  There are many ways to do this I chose to do it through the  console.

extmap.0.properties to include join condition.

jdbc.class=sun.jdbc.odbc.JdbcOdbcDriver      - MSSQL  I believe it will different for Oracle and other DBs.
jdbc.url=jdb:odbc:Arcsight_myodbc             -  This is the ODBC we created for a connector on the machineso I I  used it and it works, documentation will state to create an ODBC string.

jdbc.password=myobfuscatedpw                  - This is the obfuscated pw created using the Arcsight utility.

Jdbc.query=select  a.primarykey as primarykey, a.field1 as field1, b.field2 as field2   from table1 as a  JOIN  table2 as b on a.field1 = b.field3 \

Where a.primarykey in (?\u0000?)

b.field3 is the key on the second table needed to get b.field2.

field1 gets mapped to setter0
field2 gets mapped to setter1

KB should be written on these more complex queries in addition to the easy ones

  • h and No it's not really documented well anywhere,like most of arcsight doc, but I did talk to Hector Aguilar about this issue so we willsee what happens.

  • please see the presentation esm tips and trick for the location of this file.  Yes I beleive it can be done with any connector this was done for an epo Orchestra connector.

    I beleive the dir is something like


    you have to create the agent_id folder and extmap folder.

  • I was not even aware of the possibility to make an extmap... Is it documented somewhere ? Where do you put your extmap.properties file exactly ? Does it work with any kind of connector (including flexconnectors) ? What can you do with it : only SQL queries or some other things ?

