I have a use case where I want to compare a timestamp field in an Active List entry to the current time (like Python's datetime.datetime.now() ) using TimeDifferenceInMinutes - only to discover that ArcSight has no equivalent of the $Now variable to give me the current time in a datetime format.
I tried to create something by:
- Using a velocity template (Rule, Active Channel, or Data Monitor only) to write the current date (using something like https://velocity.apache.org/tools/devel/javadoc/org/apache/velocity/tools/generic/DateTool.html. But: ArcSight will write it into a String field, and there's no way to convert a string (or integer, for that matter) to a timestamp value.
- Using a Query/Trend to get the most recent event every X minutes (query returning the hourly equivalent) - but Trends can only be scheduled hourly.
- Using a Scheduled Rule to get an event and write endTime to an Active list - but Rules can also only be scheduled hourly.
Do you have any other ideas about how to determine how much time has elapsed between a timestamp value and the current time?