Advanced Rule - using Local Variables and the NOT IN Active List condition
So I have a Rule the rule reads IIS logs ---
The Log is Parsed with a Local Variable that runs in the Rule -------
This Variable splits out the USER NAME from the IIS server Log ---- and the Request Client Application
The Variable than uses a Velocity Template to create a field called EMP_IDs ------ this field and Request Client Application ------ are than placed into a New Active List for Unapproved Users as long as the Fields are not already found in the Active List embedded in the Rule.
These two fields should than be matched against the NOT IN Active List Condition ---- which is an Active List of those same verified fields that have been approved for using this application ---
Currently the Rule is functioning however it is not appearing to check the catch the names or devices in the NOT in Active List condition
Can you verify that unmatched entries are being added to the active list via the rule actions?
You should also verify that the variables are declared in the rule aggregation tab. (If the add to active list action fails, missing aggregation may be why). Lookup issues may also arise if you try to do the inActiveList lookup on a variable that is not aggregated.
Another thing to try is a local variable 'get active list value' and put in a rule condition of "[activelist-key-field].[local-variable] IS NULL". This condition will be null if the value is not in the activelist, and will return the value itself if it is in the list (which is a NOT IS NULL condition as well). Of course the inActiveList condition is more efficient than a local variable for your production content, but this may help you troubleshoot. You can also take the lookup value and alias it into a flex field and look at the correlated event to see what is returned. To do this, add a 'set event field action' in the actions tab, select an unused field (like flexString1) as $variablename, and then see what is populated into that field in your correlated event. There may be a syntax error in the active list (like leading spaces or case sensitivity).
Good Luck and post/reply if this does not get you the desired result; we will find a fix for you.
Can you post your variables please? If you are using a split function in a velocity template you may have a type mismatch between the array value and the value in the active list... If you post the variables I can see if this is a problem that I have seen in the past and can hopefully help out.
So the hang up was in the Coding of the In Active List Rule --- on the Old Express 4 patch 1 Express it would match based on the ending Variable condition from the evaluate Velocity Template and save the -- evaluated Variable EMP_IDs as the original Alias - sourceUN.
On the new Express 6.9.1 box the In Active List Condition sets the Variable field to match condition - initially from the older appliance we saved
sourceUN in the Active List along with Request Client Application - as Device-------
Since I had all the variable aggregating correctly I examined the Active List Condition statement - I set that to the Evaluate template variable of (EMP_IDs) instead of sourceUN and the rule is not correctly firing per device per user.
So now the next step is to Evaluate and rewrite the Request Client Application field to just track the Device and not the Device/(Version or Build of the OS on the Device) as some of them can get updated too often and will lead to false-negative hits.
I am going to create a new local variable to run on that field using the same criteria as the reparse for the Source User name field as the delimiter is the same either a / or a \.
Once I get this all ironed out I will detail out the Use Case scenario - filtering, rule, lists, alerting and reporting aspects
This is a monitor use case for Outlook Mobile Access - by user and device, and also device breakdown - Apple, Android, Windows Mobile.
See below this was corrected by matching the Active List field values in the main filter area to the evaluated EMP_IDs and not the post processing sourceUN.