Having problems with your account or logging in?
A lot of changes are happening in the community right now. Some may affect you. READ MORE HERE
Highlighted
gregcmartin Absent Member.
Absent Member.
3725 views

ArcSight Pro Tip #4 - Variable Evaluate Velocity Template (If / Then / Else)

Today's Pro Tip is on a very powerful ESM Variable: Evaluate Velocity Template (EVT) which allows you to leverage the Velocity Template Language within a resource such as a Rule or Query.

Let us take a look at how to use the EVT variable to apply the classic programming logic (IF/Then/Else) to replace a blank device hostname with a device's IP address in a rule action.  Of course you can adapt this method to solve all kinds of problems and other EVT functions which we will cover in future Pro Tips.

First within your rule add the fields you would like to use in your EVT as aggregate fields.

aggregated.png

Next add a new EVT local variable (EVT is located in the String category).

checkhostnull.png

Now you get a simple Text Box to enter in your values:

#if ($deviceHostName != "")$deviceHostName #elseif ($deviceHostName == "")$deviceAddress#end

Make sure you enter it all on one line (EVT does not know how to evaluate newline characters).  Also make sure there is a white space after each function ie. #if<space>($blah)

checkhostnull-fix.png

Now use the rule Action "Set Event Field" to overwrite deviceHostname with the EVT variable "checkhostnull".

checknullhost3.png

And finally add $checkhostnull variable as an aggregated field.

aggregated2.png

That's all there is to it...

Hope this helps you develop some killer content!

Greg

@threatstream

http://www.threatstream.com


3 Replies
jared1
New Member.

Re: ArcSight Pro Tip #4 - Variable Evaluate Velocity Template (If / Then / Else)

this is awesome, keep em' coming!

0 Likes
int32 Absent Member.
Absent Member.

Re: ArcSight Pro Tip #4 - Variable Evaluate Velocity Template (If / Then / Else)

It's a shame that useful things like loops are broken (deliberately from what I can tell) in ESM's implementation of velocity.

0 Likes
mjohnston Absent Member.
Absent Member.

Re: ArcSight Pro Tip #4 - Variable Evaluate Velocity Template (If / Then / Else)

An additional tip (maybe deserves its own post - hopefully this one will show up in relevant searches)...

Refer to the log file /opt/arcsight/manager/logs/default/velocity.log to see any velocity parsing/evaluation errors.

Also, keep in mind that Velocity math and boolean operators work only on integers. You'll get an error in the log if the object isn't an integer. This comes into play especially when you're trying to perform math on numbers that are in fields that normally contain strings. Use type conversion local variables to convert to Integer, and then refer to that local variable in the velocity expression.

Additionally, there's a bug involving Active Lists. If you use a local/global variable to retrieve a Integer active list value, then attempt to use that value in a velocity expression, you'll get the "must be an Integer" exception, even though the active list entry was an Integer. To work around this, use local variables for type conversion to convert the value into a string, then back into an integer. You may then use the value in Velocity expressions.

The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.