aguida79 Trusted Contributor.
Trusted Contributor.
765 views

Concatenate data from multiple different base event fields into a single field in a correlated event

Jump to solution

Hi,

First of all sorry for my english, is really bad, :-S

Does anybody know is it possible to concatenate data from multiple different base event fields into a single field in a correlated event?

We are doing a rule that search for blocked users events. The rule search for 4 events in 30 seconds. So, we need to put all the destinationUserNames of these base events concatenated for example in the destinationUserName field of the correlated event, to send a notification with this information. Is this posible?

Thanks in advance for your help,


Alejandro

Labels (1)
Tags (2)
0 Likes
1 Solution

Accepted Solutions
scottlsattler
New Member.

Re: Concatenate data from multiple different base event fields into a single field in a correlated event

Jump to solution

This look like what you are looking for?

View solution in original post

0 Likes
4 Replies
scottlsattler
New Member.

Re: Concatenate data from multiple different base event fields into a single field in a correlated event

Jump to solution

Did you try a match / join rule? and match on the events within the time frame?

0 Likes
aguida79 Trusted Contributor.
Trusted Contributor.

Re: Concatenate data from multiple different base event fields into a single field in a correlated event

Jump to solution

Hi Scott,

Can you give me more detail or an example about the match / join rule that you talking about? Because I can´t figured out how to make it.

Thanks for your help.

0 Likes
scottlsattler
New Member.

Re: Concatenate data from multiple different base event fields into a single field in a correlated event

Jump to solution

This look like what you are looking for?

View solution in original post

0 Likes
aguida79 Trusted Contributor.
Trusted Contributor.

Re: Concatenate data from multiple different base event fields into a single field in a correlated event

Jump to solution

Hi Scott,

I didn´t understand you when you talkme about a match / join rule. I already did that type of rule, and the problem that I´m having is that the 4 events that I´m using are the same, and I don´t exactly know how can I "consume" the event after the first match. The first event match with the second event, the third event, and the fourth event But after that the second event match with the third event, the fourth and the first event again. And then , I have a lot of correlated events, no just one, and the base events are four.


I´m attach the rule, so you can see it and give me your advice:

JoinRule.png


I forgot that mention that I´m already tried the "Consume after match" option on each event (in the screenshot you don´t see it because I´m doing some tests and I forgot it to put that option again before do the screenshots).

With the "Consume after match" option, I down the correlated events from hundreds to 24 correlated events when te rule fire.

Thanks in advance,


Alejandro

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.