Having problems with your account or logging in?
A lot of changes are happening in the community right now. Some may affect you. READ MORE HERE

ESM REST API results for aggregated base events always have count of 0

Hello all,

I'm using the ArcSight ESM's REST API (https://esm:8443/www/manager-service/rest/SecurityEventService/getSecurityEvents) to collect event information with an external script. ESM v6.9.1.

The WSDL file describing the securityEvent schema shows 3 fields that appear to hold 'count' information: aggregatedEventCount, baseEventCount, and correlatedEventCount. I'm retrieving base events, so looks like aggregatedEventCount is the important one.

For base events that have type "BASE", aggregatedEventCount is always 1, as expected.

For base events that have type "AGGREGATED", aggregatedEventCount is always 0. This is clearly incorrect. The same issue occurs on multiple ESMs that were set up independently, so I don't think it's an issue with the settings of the manager.

From within the Console, I can clearly see that the events DO have an aggregated count greater than 0.

Has anyone else encountered this issue? Any thoughts of how to get the real aggregated event count through the API?


The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.