Yes, It's already added on aggregation fields.
fieldCustom1 = $anotherField_or_Variable
the right way to assig values to a field?
I've only tried with the "alias field", but I don't see why it shouldn't be OK with the uppercase function.
In one on my real use (extract from the xml package export):
On the Aggregation tab:
<Variable TableAlias="event1" Column="myOriginalAgentID" /> ---> the variable
<Variable TableAlias="event1" Column="originalAgentId" /> ----> the field I want to extract from the event
On the Action tab:
<SetEventField EventFieldName="deviceCustomString6" EventFieldValue="$myOriginalAgentID" />
On the Variables tab:
<DependentVariable FunctionName="alias_field" FieldName="myOriginalAgentID" FieldDisplayName="myOriginalAgentID">
<FunctionFieldVariable Column="originalAgentId" />
Hope this helps...
I just delete it and do it again and it's begun to work properly.
BTW, what others fileds can I use to 'save' other info?
Thanks to all
I'd like to help you, but IDK how to, yet.
Maybe this can help you, on Active channel it'd be sth like :
target address = x.x.x.x and device vendor != ArcSight
if you get events, that device is receiving events, else not.
On a rule it doesn't work because it needs events, if no events are received, the rule won't fire(that's why I openned this thread, but due to connectors).
I'll try to investigate it, maybe someone here can help Us,
If you have a rule update an active list. The active list should have a short expiration time. You update the active list the system you want to track (host, connector,etc.). Then you have a second rule that triggers when an AL entry expires. This worked very well for us monitoring IDS, MS, syslog.
There is an ArcSight internal event that is triggered when an AL entry expires. I don't remember the name of the events. You can create an active channel looking for ArcSight internal events and find them.
mmm, I'm looking but I don't find anything similar
I only find events like this ones:
User deactivated the rule: xxx
Activating the rule xxx: The rule is under control
Deactivating the rule xxx: The number of Correlated alerts created is too high
i'd be glad if you can give Us the internal name,
thanks in advance neil,
Search for “audit events” in the online help, and you’ll get a list of them. I think the device event class id starts with activelist:.
Actually this is the event's name: "ActiveList entry expired"
But here it comes another question, how can I know which entry has expired?
EventName starts with ActiveList or DeviceEventCatagory starts with ActiveList. See if either of these work.
Create an Active list with a short TTL and when an entry expires open an active channel to look for it.
I can see it on devicecustomstring4, there appears the entry value (I only have to aply substring functions)
Applied to my case, I can do a rule that inserts into the AL the connector's name that are 'up' and a 2nd rule that triggers when one entry has expired,
thanks a lot neil, as i told you its a nice idea, i hope to implement it rightly.
Kevin, I hope that this could be useful for you.