muzaffer.mohamm1 Absent Member.
Absent Member.
1030 views

Arcsight Report query

Can anybody help to understand what's wrong with this query that it produces blank/empty results while I can run search same data from the search page?

select events.arc_deviceProduct,events.arc_deviceVersion,events.arc_destinationAddress,events.arc_destinationHostName,events.arc_destinationUserName,events.arc_deviceAddress,events.arc_deviceHostName,events.arc_eventId,events.arc_message,events.arc_requestUrl,events.arc_sourceAddress,events.arc_sourceHostName,events.arc_sourceUserId,events.arc_sourceUserName,events.arc_eventTime,events.arc_deviceName,events.arc_receiptTime,events.arc_receiver from events where events.arc_receiver = "Rx-SAP" AND events.arc_deviceProduct != "ArcSight"

The above doesn't return any error but blank output with headings only.

I get data when I enter this filter in the search page:   receiver = "Rx-SAP" AND deviceVendor != "ArcSight"

Labels (2)
0 Likes
3 Replies
Micro Focus Expert
Micro Focus Expert

Re: Arcsight Report query

Does your query test out OK if you use the 'results' tab? This is a good way to check if your query is written without syntax errors.

Sometimes the quick fix is to change the report SCAN LIMIT to Zero (0) and run the report.

0 Likes
shukla
New Member.

Re: Arcsight Report query

if you get the output in result tab then the issue might be you missed to select and save the fields  from Fields Tab while running the report.

I guess you are generating a report from logger.

- Deepak shukla

0 Likes
muzaffer.mohamm1 Absent Member.
Absent Member.

Re: Arcsight Report query

Thanks Aaron,

For example I use below query:

SELECT

events.*

FROM events WHERE events.arc_receiver = "Rx-SAP" AND events.arc_deviceVendor != "ArcSight"

I get blank result with only the fields/columns. I made sure scan limit is '0' and selected all fields while running the report and saved the query and report very carefully. Most frustrating part is that it runs for more than an hour and returns blank output!!! (I fetch data only for last 24 hours) The results tab in the query object also returns blank output.

If I run similar query in the Search Page (receiver = "Rx-SAP" AND deviceVendor != "ArcSight"), I get desired results instantly.

What am I doing wrong??

Appreciate your help.

Muzaffer...

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.