Highlighted
drbeanz Absent Member.
Absent Member.
587 views

Accessing Current Time ($Now) with a Variable

Jump to solution

I have a use case where I want to compare a timestamp field in an Active List entry to the current time (like Python's datetime.datetime.now() ) using TimeDifferenceInMinutes - only to discover that ArcSight has no equivalent of the $Now variable to give me the current time in a datetime format.

I tried to create something by:

  • Using a velocity template (Rule, Active Channel, or Data Monitor only) to write the current date (using something like https://velocity.apache.org/tools/devel/javadoc/org/apache/velocity/tools/generic/DateTool.html. But: ArcSight will write it into a String field, and there's no way to convert a string (or integer, for that matter) to a timestamp value.
  • Using a Query/Trend to get the most recent event every X minutes (query returning the hourly equivalent) - but Trends can only be scheduled hourly.
  • Using a Scheduled Rule to get an event and write endTime to an Active list - but Rules can also only be scheduled hourly.

Do you have any other ideas about how to determine how much time has elapsed between a timestamp value and the current time?

Labels (2)
0 Likes
1 Solution

Accepted Solutions
Michel Beaudry Outstanding Contributor.
Outstanding Contributor.

Re: Accessing Current Time ($Now) with a Variable

Jump to solution

Jordan,

A new function is available in ESM 6.8 as stated in page 8 of ESM_RelNotes_6.8c:

and there was alternatives before, such as https://protect724.hp.com/message/55834#55834

Regards,

Michel

0 Likes
1 Reply
Michel Beaudry Outstanding Contributor.
Outstanding Contributor.

Re: Accessing Current Time ($Now) with a Variable

Jump to solution

Jordan,

A new function is available in ESM 6.8 as stated in page 8 of ESM_RelNotes_6.8c:

and there was alternatives before, such as https://protect724.hp.com/message/55834#55834

Regards,

Michel

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.