Highlighted
Frequent Contributor.
Frequent Contributor.
782 views

Concatenate an output value from conditionalmap

Hello everyone !

I've made a parser Flex syslog subagent,

In this Flex, I put the following StringConstant :

token[2].name=SybaseEventID
token[2].type=String

 

event.deviceCustomString5=SybaseEventID



And I’m making it more readable :

conditionalmap.count=1
conditionalmap[0].field=event.deviceCustomString5
conditionalmap[0].mappings.count=2
conditionalmap[0].mappings[0].values=46
conditionalmap[0].mappings[0].event.categoryOutcome=__stringConstant("Log Out")
conditionalmap[0].mappings[1].values=45
conditionalmap[0].mappings[1].event.categoryOutcome=__stringConstant("Log In")



It works, but I’m now trying to use this String to put it in the Name field.

event.name=__concatenate(categoryOutcome,” : “,__simpleMap(Eventmod,"0=No modifier for this event","1=Ok, the event passed permission checking","2=Warning, the event failed permission checking"))


The objective is to put in the "Name" Field something like : “Log Out : Ok, the event passed permission checking”
But it seems I can’t collect values from categoryOutcome. I only get “ : Ok, the event passed permission checking” How can I use the categoryOutcome output to put it in my “Name” field ?

Thank you for the help

Tags (2)
0 Likes
3 Replies
Highlighted
Honored Contributor.
Honored Contributor.

No idea, but possibly the conditional map is being evaluated last (or at the very least "later") so those values do not yet exist for the 'name' mapping...?  If so, I bet an actual map file would work (since they operate after the parser).  Check out parser like expressions in map files in the flex guide.

0 Likes
Highlighted
Frequent Contributor.
Frequent Contributor.

Hello,

Yes, maybe you're right. It's just too bad there's so little documentation on a professional product. We come to assume things...
Too bad, I'm dropping this optimization since I don't know how to use map files to do this job.

0 Likes
Highlighted
Honored Contributor.
Honored Contributor.

Try this, hopefully it'll work, or at least get you close.

1.  Map "Eventmod" token to flexString1 (or any field of your choosing, but be sure to update the below w/ the new field).

2.  Input the following text into $CONN_HOME/current/user/agent/map/map.0.properties

set.expr(name|categoryOutcome|flexString1).event.name
"__concatenate(categoryOutcome,"" : "",__simpleMap(flexString1,""0=No modifier for this event"",""1=Ok, the event passed permission checking"",""2=Warning, the event failed permission checking""))"

 

The only potential issue is that simplemap... Usually you look up against a token (which I highly doubt would work in a map file), so instead we'll try to look up against a field.   Check for errors in the logs if this doesn't work.  HTH.

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.